I have looked at the data:
Comparing Chrome against IE9 using an application called "Fidler".
By looking at the data I noticed that the server/tomcat sends a new cookie JSESSIONID for each URL
in this case
one for the JSP page and
one for the "Capthca" servlet page.
By inspecting further, almost missed this; I noticed that IE9 did not send the cookie to the server for the second call (Capthca servlet),
and that is why the server(
tomcat) issues a new JSESSIONID cookie.
by calls I mean
1) Serve JSP page
2) Serve Captcha page
Still not sure how to fix this though
I am starting to think that this is more of an IE9 and Tomcat issue
System.out.println("JSP ID:"+session.getId());
Gives a new ID for each page refresh in IE9, WHY ???