Tomcat7 for security, to prevent artificial modification sessionid attack, set JSESSION in the cookie to httponly=true, so that the JSESSIONID cannot be obtained by using the cookie
How to get JSESSIONID. Modify the conf/context.xml file in the tomcat directory . useHttpOnlu="false"