Thanks Ujwol for the reply,
Even I feel the same, but somehow we are unable to check the same.
We are custom login fcc, where by we are using our own page (FTL) for login, once the credentials reaches our controller, we validate the same, and make a POST call to custom login fcc for authentication, but somehow when we redirect the user to successive page, we can see a new JSESSIONID, although when we again go back to same login page, enter the credentials again, from that time, JSESSIONID did not get changed.
Hence bit confused.
We are using Web agent (Apache 2.4)