Who defines JSESSIONID in spring security and how is it done?

Hi.
i am using spring security on top of a application which is based on tomcat. there is an apache proxy in between
the clients and tomcat. all clients goes to the same proxy.
I am trying to understand who creates the JSESSION ID cookie on the request.
for some reason when 2 clients on the same browser send a request to the
tomcat the spring security defines the same jsession id for them.

Any idea why this might happen? what distinguishes between one session id and the other.
Please note that this does not happen when i don't have a proxy.

Thanks

The cookie is created by the servlet container, in your case tomcat.
Current browsers share sessions between all windows. If you do not want this just use chrome for session 1 and firefox for session 2.