Invalidating the existing session and creating new session in servlets
Note that installing this servlet is a security risk, as it exposes the server's session IDs--these may be used by unscrupulous clients to join other clients' sessions.The that is installed by default with the Java Web Server 1.1.x has similar behavior.Other implementations, such as using SSL (Secure Sockets Layer) sessions, are also possible.A servlet can discover a session's ID with the should be held as a server secret because any client with knowledge of another client's session ID can, with a forged cookie or URL, join the second client's session.Every server that supports servlets should implement at least cookie-based session tracking, where the session ID is saved on the client in a persistent cookie.Many web servers also support session tracking based on URL rewriting, as a fallback for browsers that don't accept cookies. For a servlet to support session tracking via URL rewriting, it has to rewrite every local URL before sending it to the client.In other words, servlets have built in session tracking.  Yes, we do feel a little like the third grade teacher who taught you all the steps of long division, only to reveal later how you could use a calculator to do the same thing.
The level of support, however, depends on the server.Finally, you can remove an object from a session with if the session being accessed is invalid (we'll discuss invalid sessions in an upcoming section).