To preserve state, a cookie with a session id is send to the client’s browser. During the next request, this cookie is transmitted to the server. By this, the server is able to restore state.

For security reasons, it is good practice to renew this session number once the user logs in or out.

 

FacesContext.getCurrentInstance().getExternalContext().invalidateSession();

But, at least if you use GlassFish 4 as your servlet container, you may sometimes recognize an exception in your log. It is catched internally, thus surrounding the statement above wont catch it. Maybe, this problem is responsible for memory leaks [1] too.

Solution: Simply replace this call by a change of the session id

((HttpServletRequest)FacesContext.getCurrentInstance()
       .getExternalContext().getRequest()).changeSessionId();

 

[1] http://blog.mueller-bruehl.de/programming/cdi-issue-using-glassfish-4/