For authentication, the Web server creates a new session if necessary before the filter is invoked. See “Filter deployment”.
Session versioning allows use of a local copy of the session information instead of delegating it to a database. Without an associated version, session information would have to be read from the database to guarantee the data is not stale. Each session has an associated version. The version starts at one and changes each time a change is made to the session. To detect whether a session has changed, a cloned copy of the existing session is saved with which session information is compared. After processing, the request is compared to the cloned session to see if they are different.
