When I make a request locally, I have no problems at all maintaining my FlexSession; however, when I make a request from another computer, it creates duplicate FlexSession for every request. I noticed the JSESSIONID is different for each request which is what's probably causing the duped sessions.

But I have no idea why this is happening. The specific error I get is:

Channel.Ping.Failed error Detected duplicate HTTP-based FlexSessions, generally due to the remote host disabling session cookies. Session cookies must be enabled to manage the client connection correctly.

My crossdomain.xml is as follows:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
    <site-control permitted-cross-domain-policies="master-only"/>
    <allow-access-from domain="*" secure="false"/>
    <allow-http-request-headers-from domain="*" headers="*" secure="false"/>
</cross-domain-policy>

EDIT:

We are using spring-flex integration on the backend. Also, this happens in multiple browsers; we tried IE, Firefox, and Chrome.

Here's the Flex code:

var ro : RemoteObject = new RemoteObject("myDestination");
ro.endpoint = "http://localhost/foo";
ro.source = "com.bar.MyService";

var op : AbstractOperation = ro.getOperation("serviceMethod");
op.addEventListener( FaultEvent.FAULT, ro_faultHandler );
op.addEventListener( ResultEvent.RESULT, ro_resultHandler );
op.send();

There are three articles describing what happens. The articles are written by some guys working on BlazeDS and you should be able to fix your problem after reading them. If not, try to create a functional test reproducing the problem and I'll take a look.

Alex's blog
Mete's blog
Lin's blog