Do not create a session when hitting the root of the webapp

The root of the JIRA web application (e.g. "/" or "/foo/" or whatever the context path is) is a redirect to /secure/MyJiraHome.jspa (and then typically the Dashboard.jspa). However, we create a session in default.jspa (which serves the root) if one is absent.

This is never necessary, and sometimes causes the following problem with poorly configured front-end proxies:

• Tomcat sets the path= of the JSESSIONID cookie to the context path, with a trailing slash e.g. "path=/foo/"
• If the browser goes to "/foo" (with no trailing slash) then they are not supposed to send the JSESSIONID cookie because it is not properly under "/foo/". FireFox does send it, but not of the other browsers do.
• If Tomcat sees a request to "/foo" it will redirect to "/foo/" and not pass the request to JIRA.
• If the proxy is misconfigured, it may accept "/foo" from the browser (with no cookie) and send it as "/foo/" to JIRA.
• JIRA will then create a new JSESSIONID, overwriting the old one in the browser.

This manifest as your session being dropped (e.g. getting logged out) whenever you access "/foo" (with no slash). There are various places that send you to the base url without a slash (e.g. the login gadget).