When I use payara and use http sessions a JSESSIONID and/or JSESSIONIDSSO cookie is created which are sent back to re-acces the session.
Question 1: is the format of these session id’s defined somewhere?
Question 2: when a request is sent to the server, are the session id’s validated somehow? And if yes, if invalid, what happend? And is it possible to define differente behaviour for invalid session ids or expired session ids?