The session information is information managed by the HttpSession object defined in the Servlet API.

The management of the session information starts at the following points:

• In a servlet, when the HttpSession object is referenced.
• In a JSP, when a reference to a page occurs (however, this is a default case).

After management of the session information starts, if request is sent from the same browser process to servlets in the same Web application, the HttpSession object of the managed content is passed to the servlet.

However, the HttpSession object instances actually passed to the servlet are different for each request. In other words, the HttpSession objects with the same contents but different instances might be passed in a series of requests belonging to the same session.

Therefore, note the following points in the operations for the HttpSession objects:

• When accessing an HttpSession object, you need to acquire the instances for each request.
• Do not cache the references to the HttpSession objects across multiple requests.
• Furthermore, locking the HttpSession objects with 'synchronized' keyword of java is also meaningless. Do not lock the HttpSession objects.

The HttpSession objects are stored only in single JavaVM. Therefore, if a failure occurs in a JavaVM process (J2EE server) running as a servlet engine, the session information stored in the HttpSession object is lost.

Also, the session information is lost when the J2EE server terminates regardless of normal or abnormal termination.

If you want to store the session information even after the J2EE server terminates, use the session failover functionality that is the Application Server functionality. For details on the session failover functionality, see 5. Inheriting Session Information Between J2EE Servers in the uCosminexus Application Server Expansion Guide.