Ever wondered how Tomcat and Jetty generate a unique sessionId ? (I’m talking about the one returned by HttpSession.getId()). Here is how is works: Tomcat 7.0.35 For Tomcat, the whole logic is in SessionIdGenerator.generateSessionId() public class SessionIdGenerator { /** * Generate and return a new session identifier. */ public String generateSessionId() { byte random[] = new byte[16]; // Render