1)For managing session does user has to explicitly do encodeUrl if cookies are turned off by browser?
Yes , expilicty call the response encodeURL method for all the page links if you want to handle cookies disabled browser clients too
2)In some of the tutorials i came to know user doesn't have to do anything the server will
gerneate jsessionId automatically and server will send that to browser , user doesn't need to do anything
he has to only call this HttpSession.getSession(true);
Its partially true , i guess you dint read the before or after para of this in the referred tutorials. The user has to do "encodeURL" and everything else like adding sessionID , checking for cookies header are taken by the container. Thats what they meant by above.
3)If server is maintaining the session automatically then why we have
concepts like Cookie.addCokie() or encodeURL . It is better we can leave this to server
automatically which will generate and jsession id
Cokies does not only contain sessionID , Cookie.addCookie can be used to store some useful informations in the Client , say the preferences of the Client and when next time the client reaches server , server would load the Client preferences without ever asking the CLient again.
Its safe to use encodeURL method for all links as you never which client has restricted browser settings. But if you opt for cookies instead encodeURL , then instruct/alert the user to turn on the cookies before user can say Login or register.