Using IE6 I disable all kind of cookie. When IE6 make a request to Tomcat the method HttpServletRequest.isRequestedSessionIdFromCookie() returns true, but cookies is disable. I test this with Firefox and IE7 and works OK (return false). I cleaned all the cookies before test this.
The only way that this can happen is if the client sent a cookie. You can use ieHttpHeaders to confirm this is happening in IE6.