--- tomcat6-6.0.35/java/org/apache/catalina/authenticator/FormAuthenticator.java	2012/12/06 13:58:22	1417890
+++ tomcat6-6.0.35/java/org/apache/catalina/authenticator/FormAuthenticator.java	2012/12/06 13:58:59	1417891
@@ -31,6 +31,7 @@
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.catalina.Globals;
+import org.apache.catalina.Manager;
 import org.apache.catalina.Realm;
 import org.apache.catalina.Session;
 import org.apache.catalina.connector.Request;
@@ -322,6 +323,15 @@
                     config.getLoginPage(), context.getName()));
         }
 
+        if (getChangeSessionIdOnAuthentication()) {
+            Session session = request.getSessionInternal(false);
+            if (session != null) {
+                Manager manager = request.getContext().getManager();
+                manager.changeSessionId(session);
+                request.changeSessionId(session.getId());
+            }
+        }
+
         // Always use GET for the login page, regardless of the method used
         String oldMethod = request.getCoyoteRequest().method().toString();
         request.getCoyoteRequest().method().setString("GET");