In the default settings the session id will be displayed in the url. If someone sees the session id, then he can login into your login session using the session id which can be seen through e.g. scanning a wifi network (Wireshark).

If you login into your JSF web application, then your URL displayed in your browser should not have a URI like this: www.myapplication.tld/site.xhtml;jsessionid=XXXX

You have to use cookies so that the session is transmitted through POST data and not through GET. This allows it to be encrypted (if you use SSL of course, which is recommended).

1. Go to the folder WEB-INF.
If you use Netbeans, then you can find the folder in the tab projects.

2. Then edit the file web.xml
You have to add this code to use cookies to save the session information. Please add this in the session-config parameter, if it already exists.

    <session-config>

        <cookie-config>
            <http-only>true</http-only>
        </cookie-config>
        <tracking-mode>COOKIE</tracking-mode>

    </session-config>​

Now you have to recompile your application and then we are done.