This is the fix for CVE-2013-2067 Merged revision 1408043 from tomcat/trunk: In FormAuthenticator: If it is configured to change Session IDs, do the change before displaying the login form.