Session State in an SSL Connection vs in Cookies or URL Rewriting

When exchanges between OC4J and a client include sensitive information, the transmissions should occur over a secured connection. You can achieve this with HTTPS (transmitting the HTTP protocol over SSL sockets... . In this case, cookies or URL rewriting would not be appropriate for transmitting a session ID, given that the ID could be intercepted or spoofed. If the value of the session ID is compromised, the associated session state is vulnerable.
In this secured transmission situation, where HTTPS is used for all transmissions, OC4J stores the information needed to retrieve the session state directly into the SSL connection, as an attribute of the SSL session (functionality that is invisible to the user).

https://web.archive.org/web/20140101171639/http://otndnld.oracle.co.jp/document/products/as10g/101300/B25221_03/web.1013/b14426/sessions.htm#CHDJDGIJ