This section includes the following topics: returns the valid session object associated with the request, identified in the session cookie that is encapsulated in the request object.
Calling the method with no arguments creates a session that is associated with the request if one does not already exist.
Even if the JSESSIONID is still present the session whose ID it is holding is already invalidated , so how can you get that session back My point is when you say session.invalidate() the session object is destroyed , so even if you use the same browser which will use the same JSESSIONID how will you be able to access an object( the session in this case ) after it has been destroyed..??
I will try and put the problem differently: I have a web application which presents a login page to the user.
The Session API is a subset of the Java Servlet framework.
It centres around the Http Session object, which on the Servlet represents the "session of the client whose request is being processed".
Binds the specified object into the session with the given name.
Any existing binding with the same name is overwritten.
He then browses to another page and clicks Exit to logout.Logout also results in a call to session.invalidate.After this user again clicks on Back, Back and Reload button browser.It is up to you to provide the proper logic to detect this. I should tell that its a POST request that is getting fired when user does a RELOAD after hitting BACK.Also I did not understand your statement that it is upto us to handle it properly. Regards, Puneet If the session was truly invalidated, your code that receives the POST request should not be able to retrieve the old session.Additionally, calling the method with a Boolean argument creates a session only if the argument is Returns a Boolean value indicating that the session is new.A new session is one that the server has created and the client has not sent a request to it.So let me know of a way of invalidating the existing JSESSIONID cookie once session.invalidate has been called.Once you invalidate the session , how can a user do a back and refresh and access the same ( already invalidated ) session..??To obtain or create a session, we call Sessions per se aren't terribly useful without session attributes.A session attribute is effectively a Java object that we associate with the session.