JSESSION id is a cookie which is used to manage session in Java web application. JSESSIONID is created by Web Container whenever a new session is created.
In Java J2EE application container is responsible for Session management and by default uses Cookie. When a user first time access your web application, session is created based on whether its accessing HTML, JSP or Servlet. if user request is served by Servlet than session is created by calling request.getSession(true) method. it accepts a boolean parameter which instruct to create session if its not already existed.
If you call request.getSession(false) then it will either return null if no session is associated with this user or return the associated HttpSession object. If HttpRequest is for JSP page than Container automatically creates a new Session with JSESSIONID if this feature is not disabled explicitly by using page directive %@ page session=”false” %>.
Once Session is created Container sends JSESSIONID cookie into response to the client. In case of HTML access, no user session is created. If client has disabled cookie than Container uses URL rewriting for managing session on which jsessionid is appended into URL as shown below:
When HTTP session is invalidated(), mostly when the user logged off, old JSESSIONID destroyed and a new JSESSIONID is created when the user further login.