See HttpServletResponse encodeURL()and encodeRedirectURL().

请参阅 HttpServletResponse encodeURL()和encodeRedirectURL()。

These functions will rewrite your URLs appropriately to include the session information if the browser doesn't support cookies. Depending on what Java web framework you're using, these functions may be called automatically (as long as you use the framework's methods for writing URLs).

如果浏览器不支持 cookie，这些函数将适当地重写您的 URL 以包含会话信息。根据您使用的 Java Web 框架，这些函数可能会被自动调用（只要您使用框架的方法来编写 URL）。

Note that this may not be desirable in all cases, due to the security and caching implications of making the session ID visible in the links. This pagesummarizes the issues much better than I can in this short space, and provides a way to disable this feature.

请注意，由于在链接中显示会话 ID 的安全性和缓存影响，这可能并非在所有情况下都需要。 本页比我在这短短的篇幅中更好地总结了问题，并提供了一种禁用此功能的方法。

You need to append the jsessionidto all the URL's involved in your webapplication which are supposed to be invoked by the client. This includes the redirect URL's and the links in the JSP page.

您需要将 附加jsessionid到您的 web 应用程序中涉及的所有应该由客户端调用的 URL 。这包括重定向 URL 和 JSP 页面中的链接。

In case of a redirect URL, you need to use HttpServletResponse#encodeRedirectURL()first:

如果是重定向 URL，您需要先使用HttpServletResponse#encodeRedirectURL()：

response.sendRedirect(response.encodeRedirectURL("page.jsp"));

In case of links in a JSP page, you basically need to pass those URL's through HttpServletResponse#encodeURL()first. You can do this with help of JSTL's (just drop jstl-1.2.jarin /WEB-INF) <c:url>tag, it will behind the scenes pass the URL through the aforementioned method:

对于 JSP 页面中的链接，您基本上需要首先传递这些 URL HttpServletResponse#encodeURL()。您可以借助JSTL的（只需将jstl-1.2.jar放入/WEB-INF）<c:url>标记来完成此操作，它将在幕后通过上述方法传递 URL：

<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
...
    <a href="<c:url value="page1.jsp" />">link1</a>
    <a href="<c:url value="page2.jsp" />">link2</a>
    ...
    <form action="<c:url value="servlet" />" method="post">
        ...
    </form>

For reference, it's good to know that html5 introduces sessionStorageas part of Web Storage. There is a good article on 24ways.org introducing it: Breaking Out The Edges of The Browser.

作为参考，很高兴知道 html5sessionStorage作为Web Storage 的一部分引入。24ways.org 上有一篇很好的文章介绍它：Breaking Out The Edges of The Browser。

Support:

支持：

• Latest: Internet Explorer, Firefox, Safari (desktop & mobile/iPhone)
• Partial: Google Chrome (only supports localStorage)
• Not supported: Opera (as of 10.10)

• 最新：Internet Explorer、Firefox、Safari（桌面和移动/iPhone）
• 部分：谷歌浏览器（仅支持localStorage）
• 不支持：Opera（从 10.10 开始）

HTML5 (including next generation additions still in development)

HTML5（包括仍在开发中的下一代添加）

If cookies are disabled, you can still maintain sessions by sending the value of JSESSIONID as a query parameter, like:

如果 cookie 被禁用，您仍然可以通过发送 JSESSIONID 的值作为查询参数来维护会话，例如：

http://www.mywebsite.com/somePage?JSESSIONID=389729387392

Keep in mind that if security is a primary concern then you may not want to use this approach, as it puts the session id right into the url.

请记住，如果安全是主要问题，那么您可能不想使用这种方法，因为它会将会话 ID 直接放入 url 中。

If cookies are disabled, most session providers append a URL parameter called JSESSIONID to maintain session state

如果 cookie 被禁用，大多数会话提供者会附加一个名为 JSESSIONID 的 URL 参数来维护会话状态

As others have mentioned, you servlet container, e.g. tomcat, automatically resorts to putting the JSESSIONID in the url if the browser doesn't allow cookies. It is configurable in tomcat, as you can see in this answer.

正如其他人所提到的，如果浏览器不允许 cookie，您的 servlet 容器（例如 tomcat）会自动将 JSESSIONID 放在 url 中。它可以在 tomcat 中配置，如您在此答案中所见。

My advice is that you simply try it. Take your web application as it is right now, without changes, and run it in your browser with cookies disabled, and see what happens.

我的建议是你只需尝试一下。将您的 Web 应用程序保持原样，不做任何更改，并在禁用 cookie 的情况下在浏览器中运行它，看看会发生什么。

The other answers are great; I don't need to repeat that. But I do have some additional comments.

其他答案都很棒；我不需要重复。但我确实有一些补充意见。

Please don't put session data (the entire session) in a cookie, but only a session id, possibly hashed. It's way too easy for people to edit the contents of a cookie. Leave the session data on the server; possibly in a database if you have lots of concurrent users or sessions live very long.

请不要将会话数据（整个会话）放在 cookie 中，而只是一个会话 ID，可能是散列的。人们编辑 cookie 的内容太容易了。将会话数据留在服务器上；如果您有很多并发用户或会话存在很长时间，则可能在数据库中。

If even the session id itself is very precious you could even put it in a POST parameter, thereby preventing that it occurs in the URL itself.

如果会话 id 本身非常宝贵，您甚至可以将它放在 POST 参数中，从而防止它出现在 URL 本身中。

Look at the standard taglibs for JSP-pages, notably the <c:url>tag.

查看 JSP 页面的标准标签库，尤其是<c:url>标签。

http://onjava.com/pub/a/pub/a/onjava/2002/05/08/jstl.html?page=2

http://onjava.com/pub/a/pub/a/onjava/2002/05/08/jstl.html?page=2

I believe that it also handles the jsession-id attribute if cookies are not available.

我相信如果 cookie 不可用，它也会处理 jsession-id 属性。