If I recall correctly, on first access to a server app, the server sends both the jsessionid in url and the creation of the cookie. Then, if in subsequent requests the user sends the cookie, it doesn't put the jsessionid anymore for that session (unless you configure it for not using cookies). The first time does both because it doesn't know if the user has cookies enabled or not. Maybe it helps. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4084649#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...