You have correctly identified two of the three ways of handling session
IDs supported by Tomcat. There is a third way to track sessions but only if
the application runs over SSL. In that case you can configure Tomcat to use
the SSL session ID.
If the Servlet calls request.getSession() then Tomcat always includes a
session ID in the response. However, those cookies are marked as httpOnly
by default in Tomcat 7 onwards which means they are not visible to
If the session cookies need to be visible to script then you need to set
useHttpOnly="false" in either the web application's context.xml (to change
the default for just that file) or in $CATALINA_BASE/conf/context.xml to
change the default setting for every web application.