how to refresh JSESSIONID cookie after login

Question

A product I work on got a tough security audit by a potential customer and they are upset that Tomcat sets a JSESSIONID cookie before authentication has happened. That is, Tomc

Answer 1

If you are using Tomcat and want to apply this globally to all your servlets which use Tomcat's authentication mechanism, you can write a Valve to force this behavior, as shown in this sample code.