1) By default only cookies will be used. Some servers need to to be configured to allow URL rewriting. Hidden fields are not supported by default, and I have never seen them used in
Java.
2) If the client 'disables cookies', cookie based sessions may or may not work depending on what they allow. By default session cookies are stored in-memory and not written to the hard drive. In some cases these in-memory cookies will still be allowed but persistent cookies will not.
3) by default sessions use cookies.