As implemented, the following scenario cannot work on Tomcat when the browser has disabled cookies:
(1) Start session over http
(2) Request resource over http that requires https
(3) Redirect to login over https
(4) After successful login, redirect back to original resource over http
This scenario is discussed often in Spring Security documentation and should be supported.
As Luke pointed out, encodeRedirectURL is not adding the jsessionid. However, this is because it is being passed an absolute URL for which encodeRedirectURL cannot determine if it points to somewhere within the current web application (see description of isEncodeable at http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/connector/Response.html#isEncodeable(java.lang.String) ).
I was able to verify this by writing a custom AuthenticationProcessingFilter that constructed the URL relative from the context first, then applied encodeRedirectURL to the relative URL (which does successfully add the session id), and finally constructing the absolute URL from the encoded relative URL.
I wonder if this worked at one time when the URL was relative, but broke when the URL was changed to absolute (see 2nd to last paragraph in section 7.2 of the Spring Security Reference Documentation which notes a change to absolute because of an IE6 bug, http://static.springframework.org/spring-security/site/reference/html/channel-security.html#channel-security-config ).