Why jsessionid is appended to each url?

I am deploying an app using the Spring framework on the Apache Tomcat. When running the application from Tomcat directly, there's no jsessionid appended to any URL at all, but after mapping the application to the domain, and trying to run it, I got a jsessionid appended to each URL in the application. I tried the Spring security attribute开发者_StackOverflow disable-url-rewriting but it doesn't work; it removes the jsessionid from the URL but the application doesn't work any more and the user cannot login.

So I guess it's another problem. Any ideas why this happens or how to solve it?

Fixed in Spring Security 3 https://jira.springsource.org/browse/SEC-1052

by any chance, cookies are disabled for the "domain"?

If tomcat is behind a proxy, you have to make sure it runs on the same domain.