This is how it's supposed to be. Sessions are scoped per web application. See the Servlet spec: anonymous wrote : | "SRV.7.3 Session Scope | HttpSession objects must be scoped at the application (or servlet context) level. | | The underlying mechanism, such as the cookie used to establish the session, can be the same for different contexts, but the object referenced, including the attributes in | that object, must never be shared between contexts by the container. | To illustrate this requirement with an example: if a servlet uses the RequestDispatcher to call a servlet in another Web application, any sessions created for and visible to the servlet being called must be different from those visible to the calling servlet. | View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4041288#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...