I am using JBOSS 4.2 GA. I am able to fix the session id on the application server. JBOSS is not validating the JSESSIONID value, whether it is generated by itself or not. So, i thought of explicitly invalidating the existing session and create a new session using httpServletRequest.getSession(true) during the login action.JBOSS still returns the old jsession id .
Is this a limitation in jboss??? I also checked the emptySessionPath in server.xml and the value is "true" for HTTP,HTTPS and AJP Connectors.