How is a sessionID generated?
http://docs.oracle.com/cd/E17802_01/products/products/servlet/2.3/javadoc/javax/servlet/http/HttpSession.html#getId()
"The identifier is assigned by the servlet container and is implementation dependent."
The jsessionid is generated whenever a new session is created.
A java.security.MessageDigest
algorithm is normally used.
Usually the generated ID is just a set of random numbers, up until the required length, but it varies according to the algorithms used in the various servlet containers.
In Tomcat6, for example, have a look at:
ManagerBase.sessionIdLength
and
ManagerBase.createSession() //which calls generateSessionId()
See http://www.docjar.com/html/api/org/apache/catalina/session/ManagerBase.java.html
It is container specific. Tomcat: http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html#Manager