Originally posted by Ulf Dittmer:
Although SSL/HTTPS does create a session, it is one on a lower level than HttpSession provides - you can't derive an HttpSession from an HTTPS connection, because the session details are invisible to the servlet. So, if the point of the question is to work within the framework of servlets/JSPs, then HTTPS is not a way to create a session.
With due respect, I do not think that is entirely correct. SSL provides "SSL Session", and an ID to identify that SSL Session, which in turn can be used by the servlet container to locate and associate an HttpSession with the request. In this mode, there is not need for cookie, URL Rewriting, or any other mechanism for locating HttpSession.
Some webservers, such as IIS do not make the SSL Session ID available to servlet container plugins (or has it changed now?), in which case it is not possible to use this mechanism.