my web app does not use sessions (there's no request.getSession()) anywhere). But I find that the jsessionid cookie is set anyway! Can anybody tell me why that's the case? Does Tomcat send the jsessionid cookie automatically? Thanks a lot, Sigrid
Does your application contain jsp pages? If so that is the case. Jsp page implicitly creates new session if none exists. You can turn it off by using page directive with session attribute.
<% page session="false" %>
If you checked the generated java file for the jsp page there you would see HttpSession session = request.getSession(). This is how the implicit jsp session object is initialized. If you turn session off the session object will not be created, check it!