posted 9 years ago
1. You shouldn't be concerning yourself with the actual session IDs. They belong to the SERVER, not to the webapp. And the server can and WILL change the jsessionId value when it wants to and without informing the web application.
2. getSession(true) does not unconditionally create a new session/sessionID. What it does, is check to see if a session was ALREADY created. If so, it returns that existing HttpSession object. Only if no HttpSession object already exists will a new session be created.
Education won't help those who are proudly and willfully ignorant. They'll literally rather die before changing.