Like Cameron said, you have to use UrlRewriting. This means that you have to specially encode all your links in your JSPs so that it can automatically append the session ID to the URL if the client doesn't support cookies. You can do this using the <c:url> JSTL tag: