In particular, all URLs emitted by pages in a session (in links and form actions) should have URL "rewriting" enabled, whereby a session id is appended to URLs when necessary.

Cookies are the usual mechanism for implementing sessions. However, the user's browser may have cookies disabled. In that case, sessions can only be implemented with URL rewriting.

An application should define a policy to allow for this. For example, one might decide to always use the JSTL tags <c:url> and <c:redirect> (or similar tools) to emit all links in an application. These tags will automatically rewrite URLs when needed.

Hard-coding "raw" links is always risky, since it can never allow for URL rewriting.