This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
When cookies are disabled on the browser, the Set-Cookie header sent by the Container will be ignored by the browser. But when the cookie with JSessionId is generated by the container , can't we get that id (using application.log() or System.out.println(session.getId()) and can't we manually type this id after the url (Like http://localhost:7001/app/two;JSessionId=-----------) without using URL rewriting technique. I have read this is not allowed and anyhow the end user will not be able to do this.