When cookies are disabled on the browser, the Set-Cookie header sent by the Container will be ignored by the browser. But when the cookie with JSessionId is generated by the container , can't we get that id (using application.log() or System.out.println(session.getId()) and can't we manually type this id after the url (Like
http://localhost:7001/app/two;JSessionId=-----------) without using URL rewriting technique. I have read this is not allowed and anyhow the end user will not be able to do this.
