i am using tomcat.
if i use jsessionid=617AA28660D5C1B1408543C24B186A75 in url to send session id to server, response does not put it in cookie, so if redirect happens, a completely new session will be created.
is it a bug or http specification?
i can't find anything about it in rfc though.
You don't send the session id to the server. Let Tomcat create them for you.
If there is a session id in the URL and Tomcat can't match it up to an existing session in memory, it just assumes that it is expired and ignores it.