Hello Shing Wai,
you need to differ if the session was created in HTTP (1 = insecure session) or HTTPS (2 = secure session).
In case of HTTP created session (1):
-> user gets jsessionId, he may move on to https and also leave https to http side without loosing the session
In case of HTTPS created session (2):
-> user gets jsessionId, he may not leave from HTTPS and will loose his session there;
Currently any session traversal from HTTPS to HTTP will loose, independent of when it was created. The above described behaviour is also implemented exactly that way in other containers like Tomcat, Jetty and JBOSS as it immitates the behaviour from browser cookies. Those are only marked secure in case they were created within HTTPS space.
Currently one can't rely on glassfish URL rewriting as it will loose any insecure sessions in case of a HTTPS->HTTP traversal.
If you have any questions left or don't think that my arguments are valid just tell me