how to refresh JSESSIONID cookie after login

Question

A product I work on got a tough security audit by a potential customer and they are upset that Tomcat sets a JSESSIONID cookie before authentication has happened. That is, Tomc

Answer 1

HttpServletRequest.changeSessionId() can be use to change the session ID at any point of time.