我真的怀疑你会生成比容器生成的会话ID更安全的会话ID ，但这是你可以做的，而不使用任何特定于容器的扩展。

I really doubt you'll generate session IDs that are more secure than the ones generated by the container, but here's what you could do, without using any container-specific extension.

创建一个servlet过滤器，拦截每个请求到服务器。

Create a servlet filter which intercept every request to the server.

当请求进入时，检查此请求是否已存在会话（使用 getSession（false））。如果存在，则提取来自请求的特定cookie MY_SESSION_ID，并将其值与i的值进行比较s存储在会话中。如果它们不匹配，请拒绝该请求。

When a request comes in, check if a session already exists for this request (using getSession(false)). If one exists, then extract your specific cookie MY_SESSION_ID from the request, and compare its value to the one that is stored in the session. If they don't match, reject the request.

如果会话不存在，则创建它（使用 getSession（true）），生成超级安全会话ID，将其存储为会话属性，并将cookie MY_SESSION_ID添加到响应中。

If the session doesn't exist, then create it (using getSession(true)), generate your super-secure session ID, store it as a session attribute and add the cookie MY_SESSION_ID to the response.

这有不利之处自动创建会话，即使不是严格需要。但是大多数情况下使用组件框架的JSP就是这种情况。

This has the disadvantage of creating a session automatically, even if it's not strictly needed. But that's the case most of the time when using JSPs of component frameworks.