When an unauthenticated client requests a URL that requires a non-anonymous access level as defined in security-config.xml, spring security sends an HTTP redirect to our login page (e.g. /login). That’s fine.

The issue is that absent an existing session (identified by a cookie provided in the client’s request), spring-security issues a redirect that also specifies the client’s new session in the URL, e.g. /login;jsessionid=8o7pglapojus.

Many containers support this (apparently it works fine in tomcat?), but it appears that Jetty (which is what we’re using right now) does not — the redirected URL comes through to our URL router completely intact (including the jsessionid “parameter”), and the named session is not associated with the /login request by jetty/spring-security (i.e. a totally new session ID is provided in the Set-Cookie header of the response to the /login request).

We can work around this by matching /login.* in our routes, but I’m curious if there’s any way to prevent the emission of the session id in the authentication redirect to begin with.