The current impl appends a cookie to the response at the time when a session is
created. The cookie is never removed from the response should the session later
be invalidated. This causes an unnecessary lookup for the already invalidated
session id on a subsequent request that carries the cookie with the invalidated
By not appending the cookie for the invalidated session to the response, or by
removing it from the response (if already added) before the response is
committed, the redundant session lookup will be avoided by the subsequent request.
In cases where the session lookup is expensive (i.e., HADB), the resulting
performance gains will be substantial.