Session sharing again

Similar Messages

• Load balancing and session sharing

  Hi,
  in my company we have the following situation:
  We have 2 instances of the same web application on differend servers.
  An external load balancer (Alteon) routes the requests to these instances.
  The problem:
  If one instance is shutting down, all the sessions of this app are gone. These users has to login again.
  The question:
  Is it possible to avoid this?
  Is is possible to keep these session, so the users don't have to login again?
  Maybe with a kind of session sharing between these 2 instances?
  using:
  oc4j standalone - 10.1.3.1
  OS: Windows
  thank you
  Marcus

  The solution:
  Multicast IP replication is the default replication protocol used in a standalone OC4J installation
  see: http://download.oracle.com/docs/cd/B32110_01/web.1013/b28950/cluster.htm#BABBHGHJ
  -> Configuring Multicast Replication

• Session sharing/reuse issues

  Hi,
  I have multiple application set-up using session sharing within the workspace.
  Technically all works fine, however it does not play nice with user behaviour.
  Example:
  Users logs into APP_ID:100. Since he isn't authenticated yet, he provides user/pass and the APP_SESSION is authenticated.
  Now if the user switches using to another application (using a link provided in application 100) he gets redirect to APP_ID:101:APP_SESSION all is fine.
  The session is already authenticated, the application shares the session and the user gains access to app 101 without having to authenticate again.
  All's fine!
  However users don't behave they way. Instead of using an easy link in the application. They will use their own bookmark or type in the url for app 101 manually.
  That way the next application is either called with f?p=101:1:[SOME OLD SESSIONID FROM BOOMARK] or f?p=101 (with no further page or session info)
  In both cases instead of using the already authenticated session apex spawns a new session, which of course isn't authenticated yet thus forcing the user to authenticate and come complaining they have to login again.
  Similar behaviour problems exists when the user opens a browser and tries to open both applications in each in a tab next to each other.
  Both tabs fetch there own initial session id and start writing it to the same cookie each in turn invalidating the other tab's session.
  These can lead to some fanatic ping pong actions. Thus it's impossible to open 2 applications sharing session in the same browser.
  Is there any remedy for these situations?
  Can apex be as smart as for instance first trying to resume the session stored in the cookie and only if that session is invalid, start a new session?
  Thanx
  apodictus

  Hi,
  I'll just try to answer one of your questions..
  apodictus wrote:
  Similar behaviour problems exists when the user opens a browser and tries to open both applications in each in a tab next to each other.
  Both tabs fetch there own initial session id and start writing it to the same cookie each in turn invalidating the other tab's session.
  These can lead to some fanatic ping pong actions. Thus it's impossible to open 2 applications sharing session in the same browser.
  Is there any remedy for these situations?
  Can apex be as smart as for instance first trying to resume the session stored in the cookie and only if that session is invalid, start a new session?The brilliant feature you want to get rid off is session sharing. Not the one you describe, but the one Microsoft implemented in IE7->
  All developers have this kind of problem, so they naturally create a way to turn them off.
  And when using ie you have two command line switches..
  iexplore.exe -noframemerging
  iexplore.exe -nomergehttp://msdn.microsoft.com/en-us/library/ee330728%28VS.85%29.aspx
  I'm sure that Firefox and Chrome have a simelar set of switches/hidden settings...
  or just use private browsing...
  /kenny

• Session Sharing between Webapps

            Hi everybody,
            I have read that session sharing between webapps is possible since Wls 6.1 using
            the same name
            for a cookie in the webapps.
            I have created a webapp named myPortal (for example) and a second named Navigation.
            The first webapp
            includes content of the second webapp
            After deploying the webapps in WLS and printing out the sessionid in each of the
            webapps, I found out
            that unfortionally the sessionid in the two webapps are not identical.
            My Question is: Is session sharing possible, or should I create a workaround?
            Here is my environment:
            WLS 6.1 on SUN running in developmentmode
            two webapps, deployed as .war file and/or as .ear file
            Cookie Name is configured to be identical in the two .war Files
            Regards,
            Ed
            

  Search this newsgroup for a reply post on this by me. I incorrectly went down the
            primrose path on this one, too. I was corrected by Cameron Purdy. I did a bunch of
            impirical research on this and came to the same conclusion you have come to. The spec
            doesn't require it and, in fact, says that separate webapps have separate contexts, so
            they don't share sessions, even if the cookie is the same name.
            Bill
            Eduard van den Bongard wrote:
            > Hi everybody,
            >
            > I have read that session sharing between webapps is possible since Wls 6.1 using
            > the same name
            > for a cookie in the webapps.
            > I have created a webapp named myPortal (for example) and a second named Navigation.
            > The first webapp
            > includes content of the second webapp
            > After deploying the webapps in WLS and printing out the sessionid in each of the
            > webapps, I found out
            > that unfortionally the sessionid in the two webapps are not identical.
            > My Question is: Is session sharing possible, or should I create a workaround?
            >
            > Here is my environment:
            >
            > WLS 6.1 on SUN running in developmentmode
            > two webapps, deployed as .war file and/or as .ear file
            > Cookie Name is configured to be identical in the two .war Files
            >
            > Regards,
            >
            > Ed
            

• How to prevent session sharing ???

  I am getting a problem when i access my application with different logins from same machine ( same browsers ) ,
  then old login session is updating with new login session,
  how can i prevent this session sharing?
  thanks in advance

  What's probably happening is that you use file cookies (cookies are stored in your file system).
  1. You log in from browser 1 as User A. The server sets a session cookie on your file system.
  2. You continue to work from browser 1. The session cookie gets sent in every request and all is fine.
  3. Now you open another browser and log in as User B. The server sets a session cookie identifying you as User B on your file system.
  4. This overwrites the cookie that was set earlier that identified you as User A The concept is that you can have only one cookie from a server for a specific purpose (session identification in this case)
  5. When you go back to browser 1 now and access the site, the second cookie gets sent (the one that identifies you as User B) and you are logged in as User B now.
  ram.

• Session sharing among multiple WAR files inside an EAR file

  Hi all,
  Is there a way where I can share my session object among multiple WAR files which are inside an EAR file?
  Please suggest.

  r035198x wrote:
  Some application servers (like Weblogic) allow to configure session sharing when you deploy the application.Sidenote: which is completely against the servlet spec.

• Does Session Sharing feature provided by SAP Net Weaver application server

  Hi All,
  Session Sharing is an additional feature provided by Tomcat , Weblogic  and Web sphere application servers.
  Is this feature available in  SAP Net Weaver application server?
  Brief description on Session Sharing
  Session Sharing  specifies whether HTTP sessions are shared across multiple Web applications.
  In Weblogic this is an optional feature customizable in weblolgic-application.xml
  Sample weblogic-application.xml
  <?xml version='1.0' encoding='UTF-8'?>
  <weblogic-application xmlns="http://www.bea.com/ns/weblogic/90" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <session-descriptor>
        <persistent-store-type>replicated_if_clustered</persistent-store-type>
        <sharing-enabled>true</sharing-enabled>
  </session-descriptor>
  </weblogic-application>
  session-descriptor (Optional Element ) - Specifies a list of configuration parameters for servlet sessions.
  sharing-enabled (Optional Element ) - Specifies whether HTTP sessions are shared across multiple Web applications. Default value is false.
  Thanks in advance.
  Regard's
  Srikanth
  Edited by: Srikanth A on May 14, 2010 7:36 PM

  Hi,
  You cannot set up Garbage collection frequency. it is internally handled by Java when the Heap size is filled up.
  You can always fine tune your server to SAP recommendations.
  Note 723909 is a good starting point.
  Also other checks include that you use SAP recommended Java versions, OS patches and also that you have enough physical memory.
  Thanks & Regards,
  Vijith

• HTTP session sharing

  Hi,
  We have a need for session sharing among the different JVMs and have been trying the application cluster functionality with zero luck. Now we are thinking of looking into coherence because by reading the documentation we came to know this is something we could accomplish it. Since being a very new on this, have anyone done this and if you have can we get some information on how to do it. We will really appreciate your help on this.
  Thanks,
  Raj

  To better understand the background of your root problem,
  1) which Application Server product are you using?
  2) the term "clustering" may mean different things to different App Server implementations. Does your reference to clustering also mean "Http Session Replication" has been specifically enabled, or that by simply clustering JVMs you expect this to happen automatically?
  3) is access to the session needed by the same web app or different web apps in the JVMs?

• Session sharing among different web application under Oracle AS

  Hi,
  I'm looking for some information on web application session information sharing under Oracle AS10.1.3.
  any pointers are highly appreciated.
  Thanks,
  Narasimha.

  Hello,
  I see that you have duplicate your post in different forums, Session sharing among different web application under Oracle AS10.1.3.
  Regards
  Tugdual Grall

• Any updates on Portlet/Servlet session sharing (for AJAX)

  Hey all,
  I've found a few threads about accessing the portlet session from a JSP that have gone stale. Has anyone found a good method for sharing the session in this way?
  I've read through Peter Moskovits ts-1941 presentation, but it's difficult to really follow by itself...and I'm reading through the paper on "Integrating Password Protection" and deep linking. I think I'm following all of the requirelments it lists to be able to access the session in "deep link" pages but no luck yet.
  Any one have some working examples? I'm pretty new to portlets so, some of the Oracle classes in the PDK are still unfamiliar terrain for me.

  An update. I adjusted some of my settings and now I can get things I create in my session in the portlet code to be visible in my JSP code when I make AJAX calls. Great.
  My problem now is that I can't get the actual portlet code to see the session objects. I'm trying the code I found in the Portal Developer's Guide to store the number of render requests in session:
  <pre>
  PortletRenderRequest pReq = (PortletRenderRequest)
  request.getAttribute(HttpCommonConstants.PORTLET_RENDER_REQUEST);
  ProviderSession pSession = pReq.getSession();
  if (pSession != null)
  String key = PortletRendererUtil.portletParameter(pReq, "count");
  Integer i = (Integer)pSession.getAttribute(key);
  if (i == null)
  i = new Integer(0);
  i = new Integer(i.intValue()+1);
  pSession.setAttribute(key, i);
  %>
  Render count in this session: <%=i%>
  <%
  else
  %>
  The session has become invalid
  Please log out and log in again.
  <%
  </pre>
  When I ran this code, I see a count of 1 on the first attempt. Then my session object disappears and I'm told the session has become invalid. I turned off the "same cookie domain" option and now my counter works correctly, but my JSPs no longer can see the session variables through session.getAttribute(...).
  I think I understand why turning off the "same cookie domain" stops the JSP from seeing the session object (even though my portlet is deployed on the server). Why does turning on "same cookie domain" stop the portlet from seeing the ProviderSession object after the initial request?

• Session Sharing between Portal and Baja servlet(UIX)

  Hi guys,
  I'm having real trouble trying to share a portal session with an external servlet session, in order to enable some file upload functionality. I found an older post (Re: cannot do a select on a table which mentioned a couple of pre-reqs for doing this, but they don't seem to work. I've enabled the the "Same Cookie Domain" checkbox. On checking the cookie values generated by portal, i noticed that none of them have a domain value:
  Cookie name :ORA_DG2 cookie//domain : null//cooki val :mrlMP%2F8%2FMP%2F8
  Cookie name :ORA_UCM_VER//cookie domain : null//cookie val :%2FMP%2F8pgqfg%2Cl_w_p%3Emp_ajc%2CamkMP%2F8neode*j%5Du%5Dn%3Ckn%5D_ha*_kiMP%2F80.3%2C005%2C21%2C%2F1MP%2F8.%2C1*..3*0%2F*-%2F
  I tried setting my own cookie, but when I forward the request from portal to my (external) UIX servlet, a new session is created and all cookies are lost.
  Dev env: ias102222, Jserv, with Portal 3.0.9.8
  Any help will be much appreciated, I'm pretty much stuck on this one. The old post also mentioned a document to read (" See documents on session handling and Integrating Password Protected Applications into Oracle Portal - downloadable from portalstudio.oracle.com. "), but I've spent quite some time looking around on portalstudio, and haven't found it.
  thanks,
  rishi

  Hi,
  As you suggested, I took the issue up with the Cabo team, and the conclusion seems to be that either it may be a jserv bug, or something to do with JPDK. the UIX redirection code simply uses HttpServletResponse.sendRedirectURL()) for doing its work.
  Sorry about the long post, thought I'd give some more info about what i'm seeing. I hope I'm doing everythng that is needed for session mgmt in PDK. I've got the "Once Per Session" box and "Same Cookie Domain" boxes checked. This is what the jserv.log looks like :
  [01/05/2002 15:59:36:093 PDT] oracle.osf.UixServlet/Event = null
  [01/05/2002 15:59:36:093 PDT] oracle.osf.UixServlet/Parameter portalid=24935
  [01/05/2002 15:59:36:109 PDT] oracle.osf.UixServlet/Parameter [email protected]
  I assume that the 'oracle.osf.UixServlet' above indicates the servlet zone, in which case the portlet UIX and the second UIX are both in the same zone. One thing i notice is that the domain cookie is always null. do it need to be explicitly set in order to have the correct value?
  Here's the log from the time the first page is accessed, to the stuff printed out during the redirect. Note that 'sessid' changes after the redirect(revelent lines below are marked between '------'):
  [02/05/2002 13:06:08:062 PDT] oracle.osf.UixServlet/Prov Msg : PortletPageBroker: ***********************************************************
  [02/05/2002 13:06:14:250 PDT] oracle.osf.UixServlet/Requested page = Page[name=selfserv/reqUpload]
  [02/05/2002 13:06:14:250 PDT] oracle.osf.UixServlet/Event = reqUpload.upload
  [02/05/2002 13:06:14:250 PDT] oracle.osf.UixServlet/Parameter rendermode=6
  [02/05/2002 13:06:14:250 PDT] oracle.osf.UixServlet/Parameter _portletid=20
  [02/05/2002 13:06:14:250 PDT] oracle.osf.UixServlet/Parameter _border=0
  [02/05/2002 13:06:14:250 PDT] oracle.osf.UixServlet/Parameter _action=showPortlet
  [02/05/2002 13:06:14:250 PDT] oracle.osf.UixServlet/Parameter [email protected]
  [02/05/2002 13:06:14:250 PDT] oracle.osf.UixServlet/Parameter authlevel=10
  [02/05/2002 13:06:14:250 PDT] oracle.osf.UixServlet/Parameter providerid=249353600001
  [02/05/2002 13:06:14:250 PDT] oracle.osf.UixServlet/Parameter backurl=http://dragon2-nt.us.oracle.com/servlet/page?pageid=553,555&_dad=portal30&_schema=PORTAL30
  [02/05/2002 13:06:14:250 PDT] oracle.osf.UixServlet/Parameter backurl=http://dragon2-nt.us.oracle.com/servlet/page?_pageid=553,555&_dad=portal30&_schema=PORTAL30
  26_portletid%3D20%26_referencepath%3D938_PROCESS_2493536%26_backurl%3Dhttp%253A%252F%252Fdragon2-nt.us.oracle.com%252Fservlet%252Fpage%253F_pageid%253D553%252C555%2526_dad%253Dportal30%2526_schema%253DPORTAL30%26_mode%3D6%26_title%3DProcess%2524bjSt%253Dadb2b61d
  [02/05/2002 13:06:14:250 PDT] oracle.osf.UixServlet/Parameter 249353600001.20.938_PROCESS_2493536.next_page=reqUpload
  [02/05/2002 13:06:14:250 PDT] oracle.osf.UixServlet/Parameter [email protected]
  [02/05/2002 13:06:14:250 PDT] oracle.osf.UixServlet/Parameter portletid=20
  [02/05/2002 13:06:14:250 PDT] oracle.osf.UixServlet/Parameter _title=Process$bjSt=adb2b61d
  [02/05/2002 13:06:14:250 PDT] oracle.osf.UixServlet/Parameter [email protected]
  [02/05/2002 13:06:14:250 PDT] oracle.osf.UixServlet/Parameter _providerid=2493536
  [02/05/2002 13:06:14:250 PDT] oracle.osf.UixServlet/Parameter _logintime=2002-05-02-12:47:04
  [02/05/2002 13:06:14:250 PDT] oracle.osf.UixServlet/Parameter pageurl=http://dragon2-nt.us.oracle.com/servlet/page?_dad=portal30&_schema=PORTAL30&_type=portlet&_providerid=2493536&_portletid=20&_referencepath=938_PROCESS_2493536&_backurl=http%3A%2F%2Fdragon2-nt.us.oracle.com%2Fservlet%2Fpage%3F_pageid%3D553%2C555%26_dad%3Dportal30%26_schema%3DPORTAL30&_mode=6&_title=Process%24bjSt%3Dadb2b61d
  [02/05/2002 13:06:14:250 PDT] oracle.osf.UixServlet/Parameter portalid=24935
  [02/05/2002 13:06:14:250 PDT] oracle.osf.UixServlet/Parameter loginurl=https://dragon2-nt.us.oracle.com/pls/portal30_sso/portal30_sso.wwsso_app_admin.fapp_process_login?p_app_id=
  [02/05/2002 13:06:14:250 PDT] oracle.osf.UixServlet/Parameter _type=portlet
  [02/05/2002 13:06:14:250 PDT] oracle.osf.UixServlet/Parameter instancename=938_PROCESS_2493536
  [02/05/2002 13:06:14:250 PDT] oracle.osf.UixServlet/Parameter referencepath=938PROCESS_2493536
  [02/05/2002 13:06:14:265 PDT] oracle.osf.UixServlet/Parameter hastitle=0
  [02/05/2002 13:06:14:265 PDT] oracle.osf.UixServlet/Prov Msg : SelfServPageFlowEngine: SourcePage: selfserv/reqUpload
  [02/05/2002 13:06:14:265 PDT] oracle.osf.UixServlet/Prov Msg : SelfServPageFlowEngine: getPage: redirectURL
  [02/05/2002 13:06:14:265 PDT] oracle.osf.UixServlet/Prov Msg : SelfServPageFlowEngine: getPage sessid =7t9gjv18w1.qQvvsA5H/BjN/AXMmkbGngTxpQOUp6XxmkLCpRbOcxeRc3y-
  [02/05/2002 13:06:14:265 PDT] oracle.osf.UixServlet/Rendering page = Page[name=redirectURL,state=cf6605c5,url=http://shazam.us.oracle.com:7778/servlet/oracle.osf.UixServlet/selfserv/requploadFile?accountId=9&sesid=7t9gjv18w1.qQvvsA5H/BjN/AXMmkbGngTxpQOUp6XxmkLCpRbOcxeRc3y-,islog=event=reqUpload.upload&_render_mode=6&_portletid=20&_border=0&_action=showPortlet&[email protected]&_auth_level=10&_provider_id=249353600001&_backurl=http://dragon2-nt.us.oracle.com/servlet/page?_pageid=553,555&_dad=portal30&_schema=PORTAL30&_back_url=http://dragon2-nt.us.oracle.com/servlet/page?_pageid=553,555&_dad=portal30&_schema=PORTAL30&_design_url=http://dragon2-nt.us.oracle.com/servlet/page?_dad=portal30&_schema=PORTAL30&_type=portlet&_providerid=2493536&_portletid=20&_referencepath=938_PROCESS_2493536&_backurl=http%3A%2F%2Fdragon2-nt.us.oracle.com%2Fservlet%2Fpage%3F_dad%3Dportal30%26_schema%3DPORTAL30%26_type%3Dportlet%26_providerid%3D2493536%26_portletid%3D20%26_referencepath%3D938_PROCESS_2493536%26_backurl%3Dhttp%253A%252F%252Fdragon2-nt.us.oracle.com%252Fservlet%252Fpage%253F_pageid%253D553%252C555%2526_dad%253Dportal30%2526_schema%253DPORTAL30%26_mode%3D6%26_title%3DProcess%2524bjSt%253Dadb2b61d&249353600001.20.938_PROCESS_2493536.next_page=reqUpload&[email protected]&_portlet_id=20&_title=Process$bjSt=adb2b61d&[email protected]&_providerid=2493536&_logintime=2002-05-02-12:47:04&_page_url=http://dragon2-nt.us.oracle.com/servlet/page?_dad=portal30&_schema=PORTAL30&_type=portlet&_providerid=2493536&_portletid=20&_referencepath=938_PROCESS_2493536&_backurl=http%3A%2F%2Fdragon2-nt.us.oracle.com%2Fservlet%2Fpage%3F_pageid%3D553%2C555%26_dad%3Dportal30%26_schema%3DPORTAL30&_mode=6&_title=Process%24bjSt%3Dadb2b61d&_portal_id=24935&_login_url=https://dragon2-nt.us.oracle.com/pls/portal30_sso/portal30_sso.wwsso_app_admin.fapp_process_login?p_app_id=&_type=portlet&_instance_name=938_PROCESS_2493536&_referencepath=938_PROCESS_2493536&_has_title=0,islogged=true]
  [02/05/2002 13:06:14:281 PDT] oracle.osf.UixServlet/Prov Msg : PortletPageBroker: PageName=redirectURL
  [02/05/2002 13:06:14:281 PDT] oracle.osf.UixServlet/Prov Msg : PortletPageBroker: ***********************************************************
  [02/05/2002 13:06:23:031 PDT] oracle.osf.UixServlet/Requested page = Page[name=selfserv/requploadFile]
  [02/05/2002 13:06:23:031 PDT] oracle.osf.UixServlet/Event = null
  [02/05/2002 13:06:23:031 PDT] oracle.osf.UixServlet/Parameter accountId=9
  [02/05/2002 13:06:23:031 PDT] oracle.osf.UixServlet/Parameter sesid=7t9gjv18w1.qQvvsA5H/BjN/AXMmkbGngTxpQOUp6XxmkLCpRbOcxeRc3y-
  [02/05/2002 13:06:23:078 PDT] oracle.osf.UixServlet/Prov Msg : SelfServPageFlowEngine: SourcePage: selfserv/requploadFile
  getPage: selfserv/Login
  [02/05/2002 13:06:23:078 PDT] oracle.osf.UixServlet/Prov Msg : SelfServPageFlowEngine: bc is oracle.cabo.servlet.BaseBajaContext@e1381b00
  [02/05/2002 13:06:23:078 PDT] oracle.osf.UixServlet/Prov Msg : SelfServPageFlowEngine: getPage sessid =8cuavt19b1.qQvvsA5H/BjN/AXMmkbGngTxpQOUp6XxmkLCpRbOcxeRc3y-
  Again, i don't know how helpful this log is, but any pointers would be much appreciated.
  rishi

• Context session sharing

  Researching a lot in this topic, I found out various ways to share session information between differentes contexts in a Tomcat 5 Container, including files pseudo-sessions, URL rewriting, and even an context configured in Tomcat with a shared option set to true.
  The URL rewriting sounds the simplest solution, but I could'nt make it work. Even adding the ;jsessionid=key in the URL, the session doens't existis in the another context, what conforms to the documentation I'd read.
  So, how is possible to share a session between diferents contexts using URL rewriting? Or, the cleanest way to share a login made by an user in a context for all others context's?

  Sharing session context between WebApp is not possible with OC4J including OC4J 10.1.2.x. (I didn't test with the new OC4J 10.1.3)
  According Servlet Spec 2.3 (SRV.7.3 Session Scope):
  HttpSession objects must be scoped at the application (or servlet context)level.
  Some Application Servers implement this non compliant feature but I think this is a really bad practice (but sometimes usefull)
  Jean-Marc --

• Session Persistance / Session Sharing

  I have 2 administration servers that share sessions thru a NFS mount file system. Is that allowed ? It seems to work most of the time, except for some instances where users are being kicked out because of invalid sessions/because the server could not find the sessions. Why does this happen ? Is it possible that both the admin servers create sessions with same session id's (once in a while )
  Please shed some light.

  Hmm, is there really no other way - it sounds like a maintenance nightmare to update the server lib every time I deploy a new version of one of the apps. Anyways, in both apps I use JNDI to look-up the EntityManager, doesn't that mean that I share the same persistence unit? All I really want to achive (I think) is to share the TopLink session between those two apps (and the cache will be shared consequently). What about manually managing the TopLink session (retrieve/invalidate) wouldn't that help?
  On a different front - I played with the TLE cache settings a little bit to see when/what SQL queries are actually executed and I was quite surprised to see that even with the 'Full' caching enabled SELECTs/UPDATEs are executed instantly whenever merge/find operations are executed (I'm using MySQL and the query log). Is there a way to defer those to put less load on the SQL server?

• Session sharing or authentication filter ???

  here is the situation
  user comes on main web site. after he logs into system, he sees our new link.(say sample1.jsp) which should be protected and which is hosted on different application server then main.
  so how i protect sample1.jsp behind login. like if user access and add that to favorite, next time he should be redirected to main web page.
  or if user enters that sample1.jsp link direct without login, then i should be able to re-direct him to login page again.
  what is the best approach to handle this? once user logs in, he has some session associated with him.

  I am not an expert but I doubt a web user ever "sees" jsp code. JSP code runs on the server and returns a result to the user.
  I could be mistaken though.

• Session sharing acrossed ears

  Is it possible to share a session across multiple EAR's? I have successfully shared sessions across multiple WAR's in a single EAR by using the session scoping and session path information.

  According to the spec, Sessions aren't suppose cross WARs. However, with IBM's Websphere, you are able to "enable" "Shared Session Context" across multiple WARS in a single EAR and provided the virtual domains for each WAR are the same.
  This is nice because it gives a developer the flexibility to logically breakup a large site into multiple war applications under the same EAR without having to worry about session management. For example, you can have a BrochureWAR, LoginWAR and a MemberForumWAR, MemberPaymentWAR, etc... all in the same EAR. The LoginWAR would put a UserObject into Session and the other MemberWARs could use it. Otherwise you would have to use the dreaded EJB solution or roll-your-own webservice state machine.
  As a quick note, be sure that any Object you put into the Shared Session Context is loaded using the Server's classpath and not the WAR's classpath. If you don't and you load a FooObject from WAR1 lib into session, a read from Session by WAR2 will throw a ClassNotFound error because of differing classloaders. Know what I mean?
  Now with all that said, I want Shared Sessions across EARs (obviously for WARs of the same domain of course). In this way, I would be able to completely remove/upgrade certain area's of a Very Large webappliction without effecting other areas for example: someWebSitesMemberPaymentEAR without effecting someWebSitesMemberForumEAR. Of course I could achieve this with all webapplications calling some Stateful WebService or EJB thing backend too but GOSH... thats alot of work for Session Management across EARs. Where's the easy button?