chrome浏览器每次请求产生一个新session

项目使用spring mvc，用shrio进行权限管理，登录页面有使用验证码，验证码放session中，然后纠结的问题开始了……

首先，项目部署在本机，一切ok...
然后部署到内网服务器上时，问题来了：
1、使用IE 8、Fire fox 17一切正常，刷新登录页面session id不变，验证码验证正常……
2、使用chrome登录时，发现正确填写验证码也报验证码错误，开debug日志发现如下内容：

2012-12-30 16:25:10 DEBUG [http-bio-9001-exec-2] -Rendering view [org.springframework.web.servlet.view.RedirectView: name 'redirect:/login'; URL [/login]] in DispatcherServlet with name 'appServlet'
2012-12-30 16:25:10 DEBUG [http-bio-9001-exec-2] -Successfully completed request
2012-12-30 16:25:10 DEBUG [http-bio-9001-exec-2] -Returning cached instance of singleton bean 'sqlSessionFactory'
2012-12-30 16:25:10 DEBUG [http-bio-9001-exec-8] -Found 'JSESSIONID' cookie value [90C864421934A567FA2147C70B17F290]
2012-12-30 16:25:10 DEBUG [http-bio-9001-exec-8] -Resolved SubjectContext context session is invalid. Ignoring and creating an anonymous (session-less) Subject instance.
org.apache.shiro.session.UnknownSessionException: There is no session with id [90C864421934A567FA2147C70B17F290]
at org.apache.shiro.session.mgt.eis.AbstractSessionDAO.readSession(AbstractSessionDAO.java:170)
at org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSessionFromDataSource(DefaultSessionManager.java:236)
at org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSession(DefaultSessionManager.java:222)
at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:118)
at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:105)
at org.apache.shiro.session.mgt.AbstractNativeSessionManager.getSession(AbstractNativeSessionManager.java:97)
at org.apache.shiro.mgt.SessionsSecurityManager.getSession(SessionsSecurityManager.java:125)
at org.apache.shiro.mgt.DefaultSecurityManager.resolveContextSession(DefaultSecurityManager.java:456)
at org.apache.shiro.mgt.DefaultSecurityManager.resolveSession(DefaultSecurityManager.java:442)
at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:338)
at org.apache.shiro.subject.Subject$Builder.buildSubject(Subject.java:846)
at org.apache.shiro.web.subject.WebSubject$Builder.buildWebSubject(WebSubject.java:148)
at org.apache.shiro.web.servlet.AbstractShiroFilter.createSubject(AbstractShiroFilter.java:292)
at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:359)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)
2012-12-30 16:25:10 DEBUG [http-bio-9001-exec-8] -DispatcherServlet with name 'appServlet' processing GET request for [/login]
2012-12-30 16:25:10 DEBUG [http-bio-9001-exec-8] -Looking up handler method for path /login
2012-12-30 16:25:10 DEBUG [http-bio-9001-exec-8] -Returning handler method [public java.lang.String com.novagame.report.controller.LoginController.index(org.springframework.ui.Model,javax.servlet.http.HttpSession)]
2012-12-30 16:25:10 DEBUG [http-bio-9001-exec-8] -Returning cached instance of singleton bean 'loginController'
2012-12-30 16:25:10 DEBUG [http-bio-9001-exec-8] -Last-Modified value for [/login] is: -1
2012-12-30 16:25:10 DEBUG [http-bio-9001-exec-8] -Creating new EIS record for new session instance [org.apache.shiro.session.mgt.SimpleSession,id=null]
2012-12-30 16:25:10 DEBUG [http-bio-9001-exec-8] -Added HttpServletResponse Cookie [JSESSIONID=b6a4eafd-051a-481c-bb86-2d127b10b85a; Path=/; HttpOnly]


从日志可以看出根据session id[90C864421934A567FA2147C70B17F290]未能找到对应的session，而且session id也跟平常的的不一样，继续看日志，shiro创建了一个新的session (Added HttpServletResponse Cookie [JSESSIONID=b6a4eafd-051a-481c-bb86-2d127b10b85a; Path=/; HttpOnly])，session不同了，验证码肯定报错了。

在shiro的DefaultSessionManager中下断点远程跟踪调试了解到chrome每次请求登录页面时都生成了一个新会话，并保存在MemorySessionDAO中的sessions变更中，内容类似于"{247cc8fc-ba5f-43c9-9505-c33beadfd273=org.apache.shiro.session.mgt.SimpleSession,id=247cc8fc-ba5f-43c9-9505-c33beadfd273,bbcd95a6-2960-4bc3-a990-2f0cbf110530=org.apache.shiro.session.mgt.SimpleSession,id=bbcd95a6-2960-4bc3-a990-2f0cbf110530}"，每次刷新session都增加一个，不存在session过期被移除了的问题，找不到session的原因就是chrome提交的请求中的session id不对……

目前抓狂中，any hints?