Without cookies, you have two options. The first is passing a sessionId through Urls. This requires a lot of work on the server because every url you send back must have a sessionId appended to it (usually in the form of a query string parameter). For example:

/path/to/page

becomes

/path/to/page?sessionid=ASDFG-ASDFG-ASDFG-ASDFG-ASDFG

The other option you have would be to combine what information you have via http into a "unique" key and create your own session bucket. By combining the Http UserAgent, RemoteIp and RemoteXfip you can get close to uniquely identifying a user, but there is no guarantees that this key is 100% unique.

url rewriting

http://www.developertutorials.com/tutorials/java/implement-session-tracking-050611/page5.html

In the JSP side, you can use JSTL's <c:url> for this.

<a href="<c:url value="page.jsp" />">link</a>

Easy as that. It will automagically append the jsessionid when cookies are disabled.

In the Servlet side you need HttpServletResponse#encodeURL() or -usually the preferred one inside Servlets- HttpServletResponse#encodeRedirectURL() for this.

response.sendRedirect(response.encodeRedirectURL("page.jsp"));

Each URL must be encoded using response.encodeURL("page.jsp")

This will add the Session ID onto the end of each URL so cookies do not have to be enabled.

Note that you will have to do this manually for every single URL in order for it to work.

See this link for more info.