The session id doesn't change but the as you've noticed the GUID cookie does.
The GUID is stored in your session and is a secure only cookie. It is checked in the RequireHardLoginBeforeController and if the value sent in the cookie doesn't match the one on the server in the session then you'll be redirected to the login page.
Even if someone has your JSESSIONID value they can't impersonate you without the matching acceleratorSecureGUID value.
This made more sense when you were browsing on an http connection and then switched to https for login. The JSESSIONID could be captured by sniffing network traffic and the acceleratorSecureGUID couldn't because it is only sent over https connections.
In reality for recent accelerators the entire site is served over https so there isn't an opportunity to sniff the JSESSIONID either.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.