Session security is handled by the application server, and is stored in a non-persistent cookie on the client. You should ensure that all transactions with the application server are protected with SSL to prevent session hijacking attacks.