what is the vulnerability of having Jsessionid on first request only

Question

Recently we removed jsessionid from URL did cookies based session management to prevent \"session hijacking attack\"

But we found that first request URL always has

Answer 1

did cookies based session management to prevent "session hijacking attack"

Whats stopping the cookie being hijacked?

Session managment is a server side thing - You need to server to check (based on the cookie) that the user is meant to be logged in.

I don't think you've improved security here at all to be honest, take a look at this excellent article to see why.