As documented in https://tomcat.apache.org/tomcat-5.5-doc/config/manager.html#Disable_Session_Persistence, I added the following code piece to disable session persistence in Tomcat 7.
<Manager pathname="" /> After this change I can see that SESSIONS.ser is not getting created as expected, but even after restarting tomcat, the previous JSESSIONID is still valid. Why is tomcat not invalidating the previous JSESSIONID ?