Cookies are the usual mechanism for implementing sessions. However, the user's browser may have cookies disabled. In that case, you may want to fall back on URL rewriting, to ensure sessions are still maintained. (See this topic for a reason why you may not want to do this.) URL rewriting inserts a session identifier into the URLs found in web pages.

If you decide to use URL rewriting, then you will need to ensure that it's applied to every link (and form's action attribute) in every page that can form part of a session. If you mistakenly emit a link which has no URL rewriting, then your users will lose their session information if they happen to click on that link.

To allow for this, an application should define a policy for rewriting URLs. For example, one might decide to always use the JSTL tags <c:url> and <c:redirect> (or similar tools) to emit all links in an application. These tags will automatically rewrite URLs when needed. (Another option might be a servlet filter to automatically scan the output for links.)

Hard-coding "raw" links is always risky, since it can never allow for URL rewriting.