If the session was truly invalidated, your code that receives the POST request should not be able to retrieve the old session. Do you have any evidence that this is actually happening?
If you are using getSession() and it does return a session it should be a new one - see the isNew() method of HttpSession.
You should be using getSession( false ) which would return null if the old session has indeed been invalidated.
Bill