I'm fairly sure that I've spotted a bug in either Tomcat or JBoss in the way cookies are handled.
ie. I would have expected that setting this to false would totally prevent cookies from being used (ie: "disable" them), and force the container to fall-back to URL rewriting.
Indeed, that's the way it generally seems to work for us.
However, I've found one circumstance where this setting appears to be ignored by the web container, and cookies are used when they shouldn't be.
It's a problem for us because in some circumstances we want to prevent the appserver from using cookies (to permit a user to access multiple instances of the same webapp from the same browser simualtaneous).
It seems that the jboss-web directive isn't in fact disabling cookies when its set to false.
Any suggestions/workarounds/fixes would be appreciated!
...forgot to mention, this is using JBoss AS 4.0.3SP1.