We don’t agree that anybody with half a brain disables cookies. In fact, most browsers do have cookies enabled, and everything’s wonderful. But there’s no guarantee.
If your app depends on sessions, you need a different way for the client and Container to exchange session ID info. Lucky for you, the Container can handle a cookie-refusing client, but it takes a little more effort from you.
A client with cookies disabled will ignore “Set-Cookie” response headers
If a client doesn’t accept cookies, you won’t get an exception. No bells and sirens going off to tell you that your attempt to have a session with this client went wrong. No, it just means the client ignores your attempt to set a cookie with the session ID. In your code, if you do NOT use URL rewriting, it means that getSession() will always return a NEW session (i.e. one that always returns “true” when you call isNew() on it). The client simply never sends back a request that has a session ID cookie header.
If the client ...