Which one is responsible for the generation of http session ID? The client browser, the server, or both?

Question

I am working on a Java web application which involves allocating server resources on a per http session basis. So the http session ID would become part of the key of a database table, and its uniqueness in the table is a must. The description of the Java HttpSession.getID() method claimed that this ID is unique, so the server side should have someway to enforce such nature. But on the client browser, HTTP session is usually shared by multiple browsing windows unless explicitly request a new session to be to used. This suggests that the browser have active control over session usage as well. So which side is responsible for the generation of HTTP session ID? Or it is a combined effort of both sides? Is there any chance that the same session ID is generated accidentally by browsers on different computers accessing the same website?

Answer 1

Session id is generated by server and is usually granted to a visitor on his/her first visit to a site.

A session ID is a unique number that a Web site's server assigns a specific user for the duration of that user's visit (session). The session ID can be stored as a cookie, form field, or URL (Uniform Resource Locator). Some Web servers generate session IDs by simply incrementing static numbers. However, most servers use algorithms that involve more complex methods, such as factoring in the date and time of the visit along with other variables defined by the server administrator.