session.invalidate();
Which you have tried and failed miserably. The JSESSIONID just won't change from its originally assigned value no matter what you did.
You are in luck if you are encountering this issue in your JBoss server, because I might have the answer for you.
So let's get started, first, you have to invalidate your session using the code I've posted above. Second, you have to locate server.xml files depending on the JBoss' version that you are using. For me, I'm using JBoss 4.2.3 GA, so the location is at JBOSS_HOME/server/default/deploy/jboss-web.deployer/ folder.
Located it? Great, now change all of the emptySessionPath value that you can find in this file to false.
Restart your JBoss, cross your fingers, and try again.
Cheers.
