If the app makes use of JSPs, then there's your answer.
session is a JSP implicit object.
>> session is a JSP implicit object.
Now I'm wondering why I'm noticing this behavior now and now before. The session id is not only showing up in the address bar, but the generated HTML code from the JSP has the session id appended to URLS everywhere in the page. Except for the rewriiten URL in the address bar, the user doesn't see these rewrites on the page without viewing source, but it bugs me anyway.
Thanks for your response.
Yes - a servlet container should support the lowest common denominator of session tracking, which is url rewriting. (support for browsers without cookies)