Even if it is possible, but I wouldn't do it. You would have to parse your output after it is generated and before you really send it to the requesting client. The parsing has to be quite flexible to recognise links to external site as it is not a good practice to include the session id in links to external sites. (That would open the door to steal the session). There are several ways to code URL's in a way that it is hard to say which site will be the target. Just two examples: 1: <base href="some.server.domain"><a href="/some/image.gif"></a> 2: <script> someServer = 'someServer'; someFunction() { return someServer + '/some/image.gif'; } </script> <a href="javasript:someFunction()"> So this leads to quite some effort in development (or organisation, if you try to come around this by enforcing apropriate policies four your web developers) and performance penalty. And I bet: you will never be shure if there isn't a whole anywhere. > -----Ursprüngliche Nachricht----- > Von: Christian Mallwitz [mailto:[EMAIL PROTECTED]] > Gesendet: Freitag, 17. November 2000 13:34 > An: '[EMAIL PROTECTED]' > Betreff: JSP and automatic session id URL rewriting > Is it possible to > - force all JSP generated URLS to include a session id > without having to wrap them in encodeURL() > - disable generatation of session cookies