I'm seeing something a little similar here. I have a JBoss application behind an IIS7 proxy and the proxy server is stripping the "set-cookie" HTTP headers from the server response.
- Client sends login request. Proxy forwards to server
- Server responds, including a set-cookie in the HTTP header
- Proxy consumes this set-cookie and sends the response to the client "naked"
- Client calls another page, sans-cookie. Server issues a new cookie, session is lost, authentication fails
Any suggestions? I've tried the suggested solution of disabling session-state for this app in IIS, but this has not changed anything.