I was recently perusing security implementation guides and ran across one that required that sessions id's be "destroyed" after use and not reused. >From my understanding, it looks like the java/tomcat/servlet equivalent is the jessionid. I'm assuming this is probably a randomly generated id but I honestly don't know without digging through the code base.
If it is a randomly generated UUID it's a pretty safe assumption that a duplicate id is very unlikely and that reusing a session id for a different tomcat user session is also very unlikely. Is this correct? The action of destroying the session id server side (again without looking at the code) is probably just a string that is eventually gc'd. Is that correct or is it something more sophisticated? Anyhow, I figured I would ask the tomcat community on this one.
