This is the fix for CVE-2013-2067 In FormAuthenticator: If it is configured to change Session IDs, do the change before displaying the login form.