Reproduce:

• Login to any webapp
• Take note of the session ID (Cookie JSESSIONID)
• Logout
• Login again

Expected:

• New session ID is different from the first session ID

Observed:

• Same session ID is used

Hints:

• The session cookie is set to expire at the end of the session. In most browsers this is when all browser windows are closed
• The current behavior allows an user to steal another users session in a scenario where both users share the same computer and browser