Reopened: '?SID' in URL even if disabled

[hostep]

This is a duplicate of #5517, but after waiting for several weeks for that ticket to be reopened, I'm creating a new ticket

Preconditions

• Magento CE 2.1.5
• PHP 7.0.16
• Apache 2.2.32

Steps to reproduce

1. Install Magento CE 2.1.5 using composer
2. During the installation, set the base url to: https://www.m2.dev/
3. In your Apache configuration, set up a VirtualHost with 2 domains, one with 'www' and the other without 'www', something like this:

<VirtualHost *:443>
    SSLEngine On
    SSLCertificateFile "/opt/local/apache2/conf/server.crt"
    SSLCertificateKeyFile "/opt/local/apache2/conf/server.key"

    ServerName m2.dev
    ServerAlias www.m2.dev

    DocumentRoot "/path/to/magento2/pub"
    
    <Directory "/path/to/magento2/pub">
      Options Indexes FollowSymLinks ExecCGI
      AllowOverride All
      Order allow,deny
      Allow from all
    </Directory>
</VirtualHost>

4. After the installation, do this:

$ curl -I --insecure https://www.m2.dev/
HTTP/1.1 200 OK
# good, is expected!

$ curl -I --insecure https://m2.dev/
HTTP/1.1 302 Found
Location: https://www.m2.dev/?SID=abcdef...
# good, is expected!

5. Now change the Magento setting: General => Web => Session Validation Settings => Use SID on Storefront => No
6. Flush your caches
7. Execute the same thing as above:

$ curl -I --insecure https://www.m2.dev/
HTTP/1.1 200 OK
# good, is expected!

$ curl -I --insecure https://m2.dev/
HTTP/1.1 302 Found
Location: https://www.m2.dev/?SID=abcdef...
# NOT good, there should be NO ?SID in the url!

[vityakopin]

Internal ticket MAGETWO-70322 was created.

[magento-engcom-team]

@hostep, thank you for your report.
We've created internal ticket(s) MAGETWO-70322 to track progress on the issue.