posted 16 years ago
Not sure what authentication has to do with it, but you haven't stated what you actually want to achieve - that the session should not expire at all, or that -once it has expired- no new one should get created.
The former can be achieved by calling HttpSession.setMaxInactiveInterval
The latter would be very hard, if not impossible, to achieve, and doesn't make much sense to begin with (it denies the user the use of the application).
I'd also note that a new session being created once the old one has expired is standard behavior; why is it not acceptable in your case?