Tomcat is vulnerable to information disclosure. It is possible because it does not prevent the leveraging use of requestedSessionSSL field, allowing the reuse of the same session ID for the next request using that Request object. The vulnerability is not easy to set up as the client because it needs the use of correct Request object.