Monitoring the tomcat sessions and the http requests/responses, we can see that when a session is started via startSession, an http session is created and a cookie is sent. But when the session is ended via endSession, the http session is not invalidated and a another session is created.
The cookie should be sent when ending a session so that the http session can be invalidated.
This behaviour seems to be present on version 2.1+
We could add in AuthenticationWebService#endSession something like :
HttpServletRequest req = (HttpServletRequest)
if (req.getSession(false) != null)
We would also need to modify AuthenticationUtils to send the session cookie when ending a session.