Session fixation attack is a security vulnerabiltiy where the victim is tricked to login using the session given by a hacker, then the hacker can use the session after that.
Prior to GlassFish v3, one can mininize the exposure of session id in url encoding by specifying a session-properties in WEB-INF/sun-web.xml:

In GlassFish v3, with the support of Servlet 3.0, one can also achieve above by specifying the tracking-mode in WEB-INF/web.xml:



Note that the default tracking-mode in GlassFish v3 is COOKIE and URL.
In GlassFish 3.0.1 and GlassFish 3.1, a security feature is ported from Tomcat. One can configure a web application so that the session id will be changed after authentication. This mininizes the session fixation attack. One can achieve this by configuring META-INF/context.xml in war file. For instance,

The above example used form based login. If BASIC is used, then the className should be org.apache.catalina.authenticator.BaseAuthenticato r.

Read More about [Change Session Id on Authentication in GlassFish...