The current session handling can be problematic. The http implementation manages a set of http contexts, one for the http service and one or more for the http whiteboard contexts. All these contexts run within the single servlet context provided by the container (app server or jetty).
Therefore as the container is managing the sessions, the sessions for the various http contexts are embedded within the container session and managed through a session wrapper by the http implementation.
The current implementation assumes that there are potentially web components outside of OSGi participating and therefore uses the same session id for all inner sessions and never invalidates the container session.
We should improve this behaviour by:
a) provide a configuration whether the http implementation should invalidate the session if it thinks it is not used anymore (this has been the case in previous versions). We should enable it by default. Sharing the session with web components outside of OSGi is rather the exception.
b) The session wrapper uses the same session id for all internally managed sessions; this is another source of problem. The session ids used to be different in a previous version and we should get back to it.
So with the defaults set as above, we're back to the old behaviour and all internal sessions have different ids. With this even if you have additional components like a cache using the session id, these caches will get invalidated correctly (through session events) and not be reused.
If someone changes the default setting, then still we have different session ids, so it can't happen that data from an old session (through a cache or something like that) reappears in a new session.