then I saw the message "session destroyed" follows by
"new session created". This usually happens because the "log out" button performs its action then forwards (or redirects) to a
JSP. Unless explicitly prevented, every JSP fetches or creates a session, so a new session is created immediately after the old one is destroyed.
The usual way round this is to have the "public" bits of the application, which are available to visitors who have not logged on, made out of static HTML files or non-sessional JSPs.