Before you get your hands on session attacks, there are SQL injection vulnerabilities in your code that you have to combat at the first place. Moreover your code implies you are storing password in plaintext without having any encryption, which is another danged security glitch. If you worry about session fixation over URLs, you can prevent URL rewriting with a Filter from where you can invalidate the session when you find that the session was identified from jsessionid, by calling isRequestedSessionIdFromURL() of HttpServletRequest.
the code has been encrypted using md5 in another java class file called within the servlets. this jsp is just for testing. sql injection has been resolved using prepared statement, brute force attack has been resolved by validating login attempt. am just concern about how to tackle session fixation attack and session hijacking