We have an application (ATG 2010.3 and JBOSS 5.0) wherein we want to regenerate the jsessionid when the customer successfully logs in into the site.
We have tried out the following approaches from the form handler to resolve this problem:
1. Killed the old session (using session.invalidate()) and regenerated a new session. The new session still gives the old session id.
2. Deleted the jsession id cookie, and letting the server regenerate a new session cookie. Still the server gives the old jsession id in the new session cookie.
3. Tried installing the jboss 5.0 (without ATG framework) in the local machine and the session id change seem to be working fine.
The thing is, when we try installing JBOSS alone in our local machine and test with a stand alone app, everything works fine. Somewhere ATG's session management is interfering with the JBOSS session management which prevents us to create a new session id on demand.