Description
if Cookies are disabled within the Browser the servlet container (like Tomcat) will usually switch to URL rewriting, by adding the JSessionID to the URL.
This is dangerous because users tend to copy URLs from their browser and post them in chat or public forums, thus allowing someone else to hijack their session.
Therefor it is best practice to ensure that a sessionID will not be included within the URL.