The session fixation countermeasures need to turn on explicitly and is not in v2.
Is the jsp which generates sessionId and the url generated with sessionId refer to the same war file? It need to be the same war in GlassFish.
[Message sent by forum member 'swchan2']
http://forums.java.net/jive/thread.jspa?messageID=473186