From my understanding, Servlet Containers handle session using some HTTP protocols like,
I'm curious how Apache Tomcat handles the session internally, though it's irrelevant to average developers.
Is Tomcat using cookies or others also?
By default, Tomcat directly sends cookies in the HTTP response , like SET COOKIE:JSESSIONID.... back to the browser and rewrites the URL to add a JSESSIONID parameter in it , for the first request, so that it can fall back on the later in case cookies are disabled in the client browser.
The next time if the browser requests the server with the JSESSIONID in its request , Tomcat will use the JSESSIONID cookie for maintaining the session.
You can overide the session cookie behavior in Tomcat by modifying context.xml:
<Context cookies="false">
</Context>
and disable the url re-writing the same way :
<Context disableURLRewriting="true">
</Context>
Even read this Servlet Session Tracking with cookies (JSESSIONID)
Tomcat sends cookies by default unless they are blocked by the user from the browser (though this practice is not encouraged). Moreover, the session cookies (JSESSIONID) that are created are not persistent cookies and they die off whenever that instance(window) of the browser is closed.