is to use HTTPS for every request. This means the jsessionid is never sent across an insecure channel.
You will need to ensure your web.xml-defined <welcome-file> points to an HTTPS location, and the
application never directs the user to an HTTP location. Acegi Security provides a solution to assist
with the latter.