Invalidating session on
The problem is that when this user leaves the app (calling session.invalidate()), the JSESSIONID value does not change, it remains "12345678", but the session values was reset. The JSESSIONID cookie (or URL suffix) is a name/value pair, whose name is "jsessionid" and whose value is a "random number".
That "random number" is generated to serve as a hash key used by the J2EE server (Tomcat) to retrieve the Http Session object for that particular user.
In fact, Tomcat will generally sense the change and do that automatically on its next timed scan for changes.
Since it is "random", it exposes no details about the session itself to unfriendly listeners.