I tried to set the session timeout in web.xml (or using session.setMaxInactiveInterval). The session destroy event can be received in my HttpSessionListener's sessionDestroyed method. But after that, I refreshed the page, the session id is still same to the old one, although the old session's attributes are cleared. For comparing, I tried to invoke session.invalidate, the session id changed in the next request.

I don't think that the new session should have the same id to the old one. I tried JBoss AS7 and Tomcat 7, both generate a new session id.