Just a quickie.
We ran into an issue with our app today that at its root had a problem with the default value for the "session" attribute of JSP pages. Lesson learned: session is set to true by default. In other words, unles you specify the following:
<%@ page session="false" %>
your JSPs will automatically request a session object.