The Servlet 3.0 API doesn't allow you to change the session id on an existing session. Typically, to protect against session fixation, you'll want to just create a new one and invalidate the old one as well.

Servlet 3.0 API 不允许您更改现有会话的会话 ID。通常，为了防止会话固定，您只需要创建一个新的并使旧的无效。

You can invalidate a session like this

您可以像这样使会话无效

request.getSession(false).invalidate();

and then create a new session with

然后创建一个新会话

getSession(true)(getSession()should work too)

getSession(true)（也getSession()应该工作）

Obviously, if you have an data in the session that you want to persist, you'll need to copy it from the first session to the second session.

显然，如果会话中有要保留的数据，则需要将其从第一个会话复制到第二个会话。

Note, for session fixation protection, it's commonly considered okay to just do this on the authentication request. But a higher level of security involves a tossing the old session and making a new session for each and every request.

请注意，对于会话固定保护，通常认为对身份验证请求执行此操作是可以的。但是更高级别的安全性涉及为每个请求扔掉旧会话并创建一个新会话。

Since Java EE 7 and Servlet API 3.1 (Tomcat 8) you can use HttpServletRequest.changeSessionId()to achieve such behaviour. There is also a listener HttpSessionIdListenerwhich will be invoked after each change.

从 Java EE 7 和 Servlet API 3.1 (Tomcat 8) 开始，您可以使用HttpServletRequest.changeSessionId()来实现此类行为。还有一个侦听器HttpSessionIdListener，每次更改后都会调用它。