Which statement is true about web container session management？（）

Access to session-scoped attributes is guaranteed to be thread-safe by the web container.

To activate URL rewriting， the developer must use the HttpServletResponse.setURLRewriting method.

If the web application uses HTTPS， then the web container may use the data on the HTTPS request stream to identify the client.

The JSESSIONID cookie is stored permanently on the client so that a user may return to the web application and the web container will rejoin that session.