You're still on the server while you invalidate the session.

当您使会话无效时，您仍在服务器上。

//get stuff out of session you want before invalidating it.
currentSession = request.getSession(true);
UserProfile userProfile = (UserProfile) currentSession.getAttribute("userProfile");

//now invalidate it
currentSession.invalidate();

//get new session and stuff the data back in
HttpSession newSession = request.getSession(true);
newSession.setAttribute("userProfile", userProfile);

Get the existing; invalidate it; create a new one ...

获取现有的；使其无效；创建一个新的...

1) Get the current Session with HttpServletRequest.getSession();
2) Clear the Session: HttpSession.invalidate();
3) Create a new one: HttpServletRequest.getSession(true);

1）通过HttpServletRequest.getSession()获取当前Session；
2）清除会话：HttpSession.invalidate();
3）新建一个：HttpServletRequest.getSession(true)；

Talking generally (because this isn't a Java problem at all, it's a general web problem) session fixation arises when session IDs are easy to discover or guess. The main method of attack is when the session ID is in the URL of a page, for example http://example.com/index?sessionId=123. An attacker could setup capture a session and then embed the link in their page, tricking a user into visiting it and becoming part of their session. Then when the user authenticates the session is authenticated. The mitigation for this is to not use URL based session IDs, but instead use cookies

泛泛而谈（因为这根本不是 Java 问题，而是一个普遍的 Web 问题）当会话 ID 很容易被发现或猜测时，就会出现会话固定。攻击的主要方法是会话 ID 位于页面的 URL 中，例如http://example.com/index?sessionId=123。攻击者可以设置捕获会话，然后将链接嵌入到他们的页面中，诱使用户访问它并成为他们会话的一部分。然后，当用户验证会话时，会话被验证。对此的缓解措施是不使用基于 URL 的会话 ID，而是使用 cookie

Some web applications will use a cookie session based but set it from the initial URL, for example visiting http://example.com/index?sessionId=123would see the session id in the url and then create a session cookie from it, setting the id in the session cookie to 123. The mitigation for this is to generate random session ids on the server without using any user input as a seed into the generator.

某些 Web 应用程序将使用基于 cookie 会话但从初始 URL 设置它，例如访问http://example.com/index?sessionId=123会在 url 中看到会话 id，然后从中创建会话 cookie，将会话 cookie 中的 id 设置为 123。对此的缓解措施是在服务器上生成随机会话 id，而不使用任何用户输入作为生成器的种子。

There's also browser based exploits where a poorly coded browser will accept cookie creation for domains which are not the originating domain, but there's not much you can do about that. And Cross Site Scripting attacks where you can send a script command into the attacked site to set the session cookie, which can be mitigated by setting the session cookie to be HTTP_ONLY (although Safari does not honour this flag)

还有基于浏览器的漏洞利用，其中编码不佳的浏览器将接受为非原始域的域创建 cookie，但您对此无能为力。以及跨站点脚本攻击，您可以向被攻击站点发送脚本命令以设置会话 cookie，这可以通过将会话 cookie 设置为 HTTP_ONLY 来缓解（尽管 Safari 不支持此标志）

For Java the general recommendation is

对于 Java，一般建议是

session.invalidate();
session=request.getSession(true); 

However at one point on JBoss this didn't work - so you need to check this works as expected within your chosen framework.

然而，有一次在 JBoss 上这不起作用 - 所以你需要在你选择的框架内检查它是否按预期工作。

Invalidate the current session and the get a new session:

使当前会话无效并获取新会话：

//invalidate the current session
request.getSession().invalidate();
/*
get another session and get the ID (getSession()) will create a session if one does not exist
*/
request.getSession().getId();