The following code in a Servlet or JSP will cause invalid session cookies to be sent to the client: HttpSession session = req.getSession(true); session.invalidate(); req.getSession(true); Essentially the client will still see the old session cookie and then try and use the now invalidated session, breaking most applications that do this.
Fixed in 7.0.x and will be in 7.0.1 onwards. Proposed for 6.0.x
Fixed in 6.0.x and will be included in 6.0.29 onwards.
*** Bug 49641 has been marked as a duplicate of this bug. ***
The same issue happens even on Tomcat 6.0.29 on both Linux CentOS and Windows XP with exactly the same behaviour. We discovered that migrating from Tomcat 6.0.18 Does there exists a temporary fix ?
This issue has been fixed in 6.0.29. If you are experiencing issues, Bugzilla is not a support forum. Please use the users mailing list.