Do not allow application to create a new session or change the identifier of a session after response is committed

Steps to reproduce 0. Extract example.zip, build and deploy example.war mvn clean package 1. Send a request that generates a new session with 100 session attributes curl -0 -v -b /tmp/curl_cookie.txt -c /tmp/curl_cookie.txt http: //${SERVER_NAME}:8080/example/ new 2. Send a request that reponds a redirect and regenerate a new session with holding the previous session object RegenerateServlet that invokes response.redirect(), then session.invalidate() and request.getSession(true) curl -0 -v -b /tmp/curl_cookie.txt -c /tmp/curl_cookie.txt http: //${SERVER_NAME}:8080/example/regenerate or ChangeSessionIdServlet that invokes response.redirect(), then request.changeSessionId() curl -0 -v -b /tmp/curl_cookie.txt -c /tmp/curl_cookie.txt http: //${SERVER_NAME}:8080/example/change 3. Then repeat step 1 and 2 The newly generated session after step 2 is never expired. Also, activeSessions metrics do not decrease and session objects remain in the heapdump.   You can check activeSessions metrics through /metrics: curl -v http: //${SERVER_NAME}:9990/metrics | grep -v "^#" | grep jboss_undertow.*sessions | grep example Also, you can check number of session objects (like "org.wildfly.clustering.web.infinispan.session.SessionCreationMetaDataKey" and "org.wildfly.clustering.web.infinispan.session.fine.SessionAttributeKey") with jmap (or take a heapdump): jmap -histo:live $JAVA_PID | grep -e "org.wildfly.clustering.web.*session"