how to refresh JSESSIONID cookie after login

Question

A product I work on got a tough security audit by a potential customer and they are upset that Tomcat sets a JSESSIONID cookie before authentication has happened. That is, Tomc

Answer 1

Is the problem that the JSESSIONID is visible in the browser or that it gets set in a cookie at all? I'm assuming it is the latter in your case.

1.issue a new JSESSIONID cookie after login

This is the default Tomcat behaviour if you switch from http to https at the time of login. The old one is discarded and a new one is generated.

If your login itself is over http, I guess that's another security issue for the auditors ;)

Or are all your pages over https?