This week's book giveaway is in the OCMJEA forum. We're giving away four copies of OCM Java EE 6 Enterprise Architect Exam Guide and have Paul Allen & Joseph Bambara on-line! See this thread for details.
Like Cameron said, you have to use UrlRewriting. This means that you have to specially encode all your links in your JSPs so that it can automatically append the session ID to the URL if the client doesn't support cookies. You can do this using the <c:url> JSTL tag: