Cookies are the usual mechanism for implementing sessions. Cookies are the recommended style, since the alternative of URL rewriting has security issues. (URL rewriting inserts a special session id into the body of a URL.)

If you need to allow URL rewriting, then you will need to take significantly more care. All emitted links must be consistently rewritten. If you happen to forget to implement a link with URL rewriting, then the user's session will be lost whenever they click on that link. (This is another reason to prefer cookies instead of URL rewriting.)

If URL rewriting is used, an application should define a policy to implement it consistently. For example, one might decide to always use the JSTL tags <c:url> and <c:redirect> (or similar tools) to emit all links and form actions in an application. Such tags will automatically rewrite URLs when needed.

Hard-coding "raw" links without such tools is always risky, since it can never allow for URL rewriting, nor for the web application's deployment context.