Basic authentication by itself does not require the use of session, is your web app accessing a HTTP session after the authentication? That would be the time a session ID is generated and returned to the client.
No we do not. As I said we only used the cookie for sitckiness as we wanted all the requests following the first one without a cookie to go to the same server in a cluster (I guess we could manage our own cookie). I just asked the question to confirm that this was the 'normal' behavior of JBoss and not something that I had mis-configured.
EDIT: Actually I take that back. We probably access the session.