I use "isRequestedSessionIdFRomURL" and "isRequestedSessionIdFromCookie" to check where the jsessionid is from. By the way, I use encodeURL(). It surprises me that no matter if I disable the cookie from client side (I don't have to restart machine for this, right ?), the first time I open a browser it shows the id is from URL and it appends a jsesionid=.. for me. when I go back to the 1st page and hit refresh, then it shows the id is from cookie and that "jsessionid=.." disappears.