I've got some code in an app that I inherited that claims that. However, I'm not sure that those rules apply any more. That whole subsystem ended up being scrapped. In any event, this is more likely to be a problem when you invent your own security system instead of using the
J2EE built-in container-managed security subsystem.
Don't imagine, however, that the session ID in the URL has to remain constant. The session ID is the key that's used to locate the actual HttpSession object for the user and as long as the server keeps tracking it, there's no technical reason why it couldn't change session IDs on each and every request/response cycle.
If you go manually mucking around with URLs and jamming in your own session ID, however, you can get into real trouble. Use the URL rewrite methods instead. They'll know what the
current session ID is, and not accidentally jam in something that no longer applies.