1. You shouldn't be concerning yourself with the actual session IDs. They belong to the SERVER, not to the webapp. And the server can and WILL change the jsessionId value when it wants to and without informing the web application.
2. getSession(true) does not unconditionally create a new session/sessionID. What it does, is check to see if a session was ALREADY created. If so, it returns that existing HttpSession object. Only if no HttpSession object already exists will a new session be created.
"privilege" comes from the Latin words for "private" and "law" (legal) and dates to feudal times. To "claim privilege" meant that you were above the laws that applied to the common people.