This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
Well it should, but in truth it doesn't have to. Firstly, don't confuse logging off with invalidating the session. Invalidate can often cause a logoff or behaviour similar to it, but they aren't the same. The session id is just a tag to associate requests to a client and therefore introduce some state to the server. A client can send an invalid session id, as long as the server doesn't do anything with it, there's no problem. If someone has a valid session id then it is invalidated, the session is no longer valid, but there is no reason the same id can't be retained. If the person then starts a new session, it is OK for the server to see this ID and reuse it. In practice, I think this behaviour would be specific to the server you are using. It's valid, but far to specific for all servers to do it. Never make any assumptions on sessions or session ids, they tend to be slightly different on each server. Dave.