This is how it's supposed to be.
Sessions are scoped per web application. See the Servlet spec:
"SRV.7.3 Session Scope
HttpSession objects must be scoped at the application (or servlet context) level.
The underlying mechanism, such as the cookie used to establish the session, can be the same for different contexts, but the object referenced, including the attributes in
that object, must never be shared between contexts by the container.
To illustrate this requirement with an example: if a servlet uses the RequestDispatcher to call a servlet in another Web application, any sessions created for and visible to the servlet being called must be different from those visible to the calling servlet.
OK, I understand that, and in fact I found a similar statement after having posted my questions. Is there a way (through configuration) to force the behaviour I am attempting to achieve?