What is session cancellation?
Invalidation of the session means destruction of the session. Thus, if the session is destroyed, it indicates that the server cannot identify the client who visited in the previous one. It now creates a new session ID for this client.
Is it correct? If wrong tell me the correct procedure.
source to share
Calling HttpSession.invalidate () just clears any object attached to it and marks it as invalid, so if you try to change it after that it will throw exceptions.
Once the session has been invalidated, the SessionID placed in the cookie on the client will also be invalid and a new new one will be created when a new session object is created. Thus, the new session will have a new ID.
This is useful for handling like login / logout. Sessions should always be invalidated on login to prevent session-fixation attacks.
source to share