The session IDs are encoded as: -

/secure/j_security_check;jsessionid=kVzsBG9c3XxcOlzpa65ohiMeMNqXdSNQuOdvdpR3.flame

However the code that checks if this is a submission to j_security_check is: -

request.getRequestURI().getPath().endsWith(postLocation)

This code needs to trim the path at ';'