posted 6 years ago
1. You shouldn't be concerning yourself with the actual session IDs. They belong to the SERVER, not to the webapp. And the server can and WILL change the jsessionId value when it wants to and without informing the web application.
2. getSession(true) does not unconditionally create a new session/sessionID. What it does, is check to see if a session was ALREADY created. If so, it returns that existing HttpSession object. Only if no HttpSession object already exists will a new session be created.
Sometimes the only way things ever got fixed is because people became uncomfortable.