The first post by Brian Goetz nicely sums up that HttpSession and friends are trickier than they look. Taking a close look at sessions and threads, the threading risks involved in Web applications, and solutions to minimize these risks.
A second post by Michael Chermside takes a look at Threadsafe Java Servlets, also touching upon the particularities of Java sessions and threads.
Read Brian Goetz's complete post 'Are all stateful Web applications broken?':
Read Michael Chermside's complete post on 'Threadsafe Java Servlets':