Cookie

Cookie is sent from web server to the browser as a header, and it is stored in the browser. On all the subsequent requests, the browser would send the cookie data transparently to the server, So it advised to keep the size minimal.

Http Session data is stored in the server, but its session identifier is sent in cookie. In this way, the session reference is passed instead of the actual data to save network traffic. When the user disable the cookie in the browser, URL rewrite (response.encodeUrl) will be used to append jsessionid on url parameters.

When a GET hits the server with no session cookie or id, Tomcat creates a new session and sets the cookie:
Set-Cookie: JSESSIONID=2978A7FABFF3DB35BE622290E1294CDE; Path=/
It then also encodes all URLs on a page with jsessionid. At this point, does not know if the browser supports cookies. So the next GET (with both cookie and URL parameter) is required to decide if cookies are OK or not.