http://www.jboss.org/wiki/Wiki.jsp?page=WSSecureEndpoint
There is no notion of a user session in WS at the message level. You could add an appllication specific header that contains the session id.