JSESSIONID is created by tomcat (or another web container, see docs ), this is not from Spring Security. JSESSIONID is a unique http session identifier used in a situation where an application uses a session (places / reads some data from sesson during a request), but there is no session cookie. In this case, the server tries in both directions: set a cookie and add a parameter to all links.
This is mainly because:
- first request from the browser (not a cookie at all)
- the browser sent the wrong sessionid (for example, when the server was rebooted and the existing session became invalid)
And during such a request session, it was used on the server side (and a new session was created).
PS I'm not sure if this could be related to the LDAP authentication problem