How to Use HttpSessions and Authentication without Cookies?
If a user does not accept cookies, the Servlet API offers URL rewriting as a last resort to track users. This means that the web application's URLs need to be modified to include the session id. A URL with session id looks like this:
http://www.example.com/myapp/index.html;jsessionid=1234
In order to convert a regular URL into a URL with session id you need to encode it with the HttpServletResponse method encodeURL. Every URL returned by the application as part of the response needs to be encoded, including links on HTML pages, actions in HTML forms and URLs used by JavaScript.
Note that the server can not rewrite the URLs of static content. A user will always get a new session when she visits a static page and then clicks on any link on it. Thus if you rely on sessions and want to allow URL rewriting to support cookie-less sessions, don't mix static pages with dynamic (URL-rewriting) pages.
