Customers doing their own security scan of the Liferay platform might have noticed that a new JSESSIONID may have been generated. This might even be flagged as a security risk, but actually, it is not.  The reason why the Session Identifier changes is because it is part of the overall security mechanism.

By default, the generated JSESSIONID can change whenever a user logs in to the Liferay platform, because, as a security measure, the platform attempts to invalidate the previous session. In Liferay platforms, the portal property session.enable.phishing.protection is set to true by default, unless explicitly changed in the portal-ext.properties file. Other application servers may use a call, such as request.getSession(true);, to achieve the same results.

This feature is just one part of the many security measures that Liferay engineers have put in place to protect the platform against threats.