1) By default only cookies will be used. Some servers need to to be configured to allow URL rewriting. Hidden fields are not supported by default, and I have never seen them used in Java.
2) If the client 'disables cookies', cookie based sessions may or may not work depending on what they allow. By default session cookies are stored in-memory and not written to the hard drive. In some cases these in-memory cookies will still be allowed but persistent cookies will not.
Cookies are never stored on the server. They are always stored on the client.
Session data is stored on the server. The only thing stored in the cookie is the sessionID. This, to answer your question, is how the server knows which client initiated each request and is used to match up the client with their session. [ May 02, 2008: Message edited by: Ben Souther ]