I'm looking for information on preventing Session fixation attacks to web-apps running on Glassfish. For Tomcat, the problem seems to have been solved transparently by the container since 5.5.29, 6.0.21, and 7.x (see https://issues.apache.org/bugzilla/show_bug.cgi?id=45255). What would be the right thing to do for Glassfish v2.1? Did I miss something obvious? Any experiences or insight greatly appreciated.