With J2EE sessions enabled, calls to SessionRotate and CSRFGenerateToken cause exceptions to be thrown. In a sense, this is reasonable, since the 'SessionRotate' functionality doesn't work correctly in that environment - but this raises two separate problems:
1) this is not consistent with ACF behavior - ACF doesn't complain, and a usable value is returned by CSRFGenerateToken()
2) There isn't an obvious way to know if J2EE sessions are enabled (i.e. when I shouldn't be calling these methods) - am I missing something?
For now... it seems that we have to work around this problem by building our own equivalent to CSRFGenerateToken and use it if we catch an exception from the 'real' call
While it is true that the full benefit of SessionRotate is subverted by the J2EE session mechanism, use of a separate CSRF token is still worthwhile. We shouldn't have to build our own.
Linux (CentOS 7), Java 8 and Java 11