Craig Condit makes a strong case against JSESSIONID in JSESSIONID considered harmful. And I just learned that it is disabled by default in Grails 1.1.