Description
With Tomcat 6, keeping the same session from guest state to logged in state was default behavior. With Tomcat 7, to address Session Fixation attacks, this behavior was locked down, see:
Tomcat 7 and 8 suports a setting in context.xml to configure this behavior:
https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html
changeSessionIdOnAuthentication
Controls if the session ID is changed if a session exists at the point where users are authenticated. This is to prevent session fixation attacks. If not set, the default value of true will be used.
<Valve className="org.apache.catalina.authenticator.FormAuthenticator" characterEncoding="UTF-8" changeSessionIdOnAuthentication="false"/>