Under what conditions is a JSESSIONID created?

Question

When / what are the conditions when a JSESSIONID is created?

Is it per a domain? For instance, if I have a Tomcat app server, and I deploy multiple web

Answer 1

Beware if your page is including other .jsp or .jspf (fragment)! If you don't set

<%@ page session="false" %>

on them as well, the parent page will end up starting a new session and setting the JSESSIONID cookie.

For .jspf pages in particular, this happens if you configured your web.xml with such a snippet:

    
        *.jspf
    

in order to enable scriptlets inside them.