My recent application has two access interfaces; the first one in a normal Web interface that end users access to using browsers, the second one is a servlet based B2B interface that business partners access to using their in-house applications. Session tracking is required for both the interface, for Web interface, normal cookies based session tracking mechanism is used; while for B2B interface, as the client applications don't support cookie, URL rewriting based session tracking mechanism is used.
In order to use URL rewriting, B2B client applications must include jsessionid in its request URL. In the current implementation, when a B2B client applicaiton access the application first time, a jsessionid is output to the client, then the jsessionid is used in following requests.
The implementation of the URL rewriting in WAS consists of two parts.
Firstly, the URL rewriting must be enabled in the application session management. When both cookie and URL rewriting are enabled, WAS by default will use cookie when requests come from clients that have cookie enabled.
Secondly, the application must include the jsessionid in the response. Through the HttpSession interface provides a getId method that returns a unique identifier assigned to this session, but in WAS, the return value is only part of the jsessionid string. Currently I use the response.encodeURL method to generate a encoded URL that has a format like ...;jsessionid=0000qA9CUpmesNP-MLxR3KoXeaM:-1, from which the jsessionid is extracted using substring methods.