during a conversation with a Tomcat web server shall I check if JSESSIONID changes?

There's a Java code which emulates browser behaviour. It does a stateful conversation with a Tomcat server, for example: login, doSomething, logout.

The current implementation is like this:

  1. http post to "login" page, store returned cookie (assume it's JSESSIONID=9845).
  2. http post to "doSomething" page, pass stored cookie (JSESSIONID=9845) with the request, do nothing with response headers (ignoring further cookies)
  3. http get to "logout" page, pass stored cookie (JSESSIONID=9845) with the request.

This is working fine.

However I do not know if it's safe to ignore response headers in step 2. Should I expect the server changing the value of JSESSIONID during the conversation, or not?

In other words, what to do if in step 2. the server returns Set-Cookie=[JSESSIONID=9846] in the response headers?

I can imagine the followings:

  1. this can't happen in real life, not worth to check it, current code is fine.
  2. this signals a serious problem with the Tomcat server, worth check it, and the code should stop the conversation without further calls
  3. it's legal, the Tomcat server just wants to use a new identifier for the session, so I have to store the new value, and use it with subsequent calls. The current code should be completed.

I guess that real browsers do the 3. option from the above, but maybe 1. and 2. option is also acceptable?