When the cookies are disabled in the client side, session id must be included as one of the parameters in the URL to do session handling and the parameter name must be "jsessionid" (as defined in the spec). To achieve this, we use encodeRedirectURL(url) or encodeURL(url) methods in the HttpServletResponse interface. The passed url string will be modified if encoding is required or returns the url unchanged if not. The implementation of these two methods are vendor specific, but the intention of these methods are to add the jsessionid as one of the parameter to the given url. The way jsessionid added to the url can be vendor specific, the only restriction is the name of the parameter should be "jsessionid". I hope you are satisfied with the explanation.