http://labs.jboss.com/portal/jbossas/download You don't want 4.0.4.CR2, you want 4.0.4.GA, which is the final release. I do think you're grasping at straws though, as I can't see how my change would affect the behavior of response.encodeURL(). :( Ahh, something coming back from buried memory... If you really want to prevent the use of cookies (as opposed to supporting users with them turned off), you want to make sure you have a context.xml file in WEB-INF that looks like this: [url] <!-- Session persistence is disable by default. To enable for all web apps set the pathname to a non-empty value: To enable session persistence for a single web app, add a WEB-INF/context.xml --> <!-- Install an InstanceListener to handle the establishment of the run-as role for servlet init/destroy events. --> org.jboss.web.tomcat.security.RunAsListener [/url] The relevant part is 'cookies="false"'; the rest are just the defaults from jbossweb-tomcat55.sar/context.xml. IIRC, if 'cookies="true"' and the browser has presented a session cookie, encodeURL() knows this and skips the unnecessary session id encoding. Perhaps this is your problem. You could also edit the jbossweb-tomcat55.sar/context.xml file itself and turn cookies off by default for the entire server. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3968996#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...