Does Liferay DXP validate Session Identifiers?

As for the session configuration in the portal we have the https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/system.properties#L567-L576 and the https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/portal.properties#L2957-L3232 sections in our properties files with which the behavior of the session handling can be influenced.

Nevertheless, the session validation/invalidation is always done by the underlying framework, by the servlet container (SC) / application server (AS) (for example Tomcat) which implements the respective Java API. So, the portal only passes the necessary parameters to make that work.

The session is created and managed by the SC / AS, however, the portal puts some additional data there. For example when a user is being authenticated successfully. The portal triggers the invalidation of the session at some point, but also calls the appropriate Servlet API methods.

While the portal as a web application is responding to requests, it may change the state of the session through parameters, attributes, cookies, it is always doing that through that servlet API.