Yes it is a sort of defense in depth, as you will be able to verify from the client side that the session has changed which would imply that the server does not know anything more about the current session (i.e.not tied to any user account or is holding any private data, etc). That would be an obvious security breach and it would affect everyone.It's not a bug, your sessions are still unique, it's just the ID that is being reused.
To make sure the session is properly maintained, you must call this method before the response is committed.Logout also results in a call to session.invalidate.I do not see a clear point why it is necessary to have the session id changed or cleared after logout. Why does this requirement verify only the logout part? Why do I need to change the session id after logging out?Clearing this ID from the client side ensures that this private value is no longer available.