If you use ZK and ZK Spring Security, it will handle this transparently for you.
The mechanism is simple. After entering the end user, a new session is created, and all the attributes of the old session are copied to the new one (to save state). Then the old session is invalid, and since then the end user has been working with the new session. Since the old bad guy session number has already been invalidated, you cannot capture the session for a bad purchase.