The JSESSIONID only needs to be added to the URL when cookies are disabled. Ideally, this would be resolved via SHIRO-360.
SHIRO-360 Create UrlEncoder
SHIRO-536 Session token in url
GitHub Pull Request #31