You may want to first read about the difference between a session and a cookie.
Sessions are controlled at both of these places. The settings at the application level will take precedence over the settings at the application server level.
- Application > Application Types > Websphere enterprise applications > select an application > Session management
- Server > Server Types > Websphere applications servers > select an application server > Session management
A session ID is created when a WebSphere application is opened in a web browser and by default, the session is destroyed when the web browser is closed (this can be changed). WebSphere has 3 session tracking mechanisms. By default, only Enable cookies is enabled.
When enable cookies is selected, a cookie will be created on the client PC when requesting the app running on WebSphere. By default, the cookie is named JSESSIONID. In this example, the session ID is 0000a12dvSZHLFhx0hIWFJYVC_-:-1).
Enable cookies will take precedence over Enable URL rewriting. When Enable cookies is checked, the session ID will attempt to be obtained from a cookie.
Enable SSL ID tracking will take precedence over Enable cookies and Enable URL rewriting. When Enable SSL ID tracking is enabled, the session ID will attempt to be obtained from SSL information.
Enable URL rewriting - When Enable URL rewriting is enabled, the session ID will attempt to be obtained from the URL. If Enable protocol switch rewriting is enabled, the session ID will attempt to be retained when switching from HTTP to HTTPS, and vice versa.
Distributed environment settings
Distrubuted sessions is the idea of distributing sessions across two or more application servers or applications in a cluster.