I would be grateful if someone would explain how servlets can tell that cookies have been disabled on the client's browser.
I understand that while creating a session in a servlet: If cookies are enabled, the server will return the sessionID as a cookie. If cookies are disabled, the sessionID will be written into the URL.
What I don't understand is how the server can tell that cookies have been disabled. HTTP is a stateless protocol, there is no way (that I know of) the server can tell that the client has disabled cookies. I expect that the server would not receive cookies in the request header but that could mean that no cookies have been set in the first place.
I have checked these answers: Servlet HttpSession cookies disabled Manage Session when broswer has disable cookies
They both explain how to enable URL-rewriting but they do not explain how the server knows cookies have been disabled on the client.
They can't. When the session is first created, the server sends the session ID both as a cookie and with URL rewriting. On the second request, if it receives the session cookie, then it stops rewriting URLs.