The 2006 RandomCoder article, “JSESSIONID considered harmful” mentions that a Google search on URLs with “jsessionid” in them resulted in 76 million results. Now in 2010, there are over one billion pages with “jsessionid” in the URL!

Although I understand the motivation behind URL-based session-ids (support cookie-less users), it seems inconceivable that all billion of these pages actually need cross-page state, even for casual/anonymous visitors (including search engine robots). I wonder how much bandwidth, memory and processing power are wasted to create empty session objects and shuffling around useless JSessionIDs in URLs and cookies.