Thymeleaf shouldn't create new sessions (but it should respect it if one's already been created).
I'm still patching the code, but I'm pretty sure you can fix it by passing false to the call to request.getSession(boolean) in WebContext(final HttpServletRequest request, final Locale locale, final Map<String, ?> variables), below the assertions: final HttpSession session = request.getSession(true);
Switch that to false and then do null checks wherever the session's expected. If it's not there, then it and the attribute maps that depend on it can just be empty/null.
This of course gets called in ThymeleafView#render, which in turn creates a SpringWebContext, which in turn delegates to thsi super constructor. It'd be awesome if all session-related features (including URL rewriting) could be opt-in.