This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
URL rewriting should occur on the server. This means that you can not "disallow" this.
Normally the prefered way is to send the sessionid via a cookie (using the http headers). If this is not possible the server will try to maintain the sessionid via url rewriting. This means that the programmer will have to rewrite all urls that go to the client(browser) via URLEncoder.encodeURL().
It is possible to pass the session id via a hidden field.