JSESSIONID according specification is cookie. If client support cookies session id will be handled this way. If client doesn't support cookies it must be use url rewriting mechanism which add jssessionid to every link in application. BUT you can change behavior of your app. server how it will be handled. It means you can disable using cookies for example. If I remember correctly JB5 uses tomcat as servelt container. Tomcat can control this behavior via context.xml.
About security. If it is possible use https instead of http. And yes sessionID in url is not best practice.
I hope this will help.