OK. Found the problem. In my war file I had a context.xml file which, I guess, didn't fit the new servlet engine api. It caused that when a jsp was directly called from the client the session cookie wasn't sent (or wasn't read by the container) and thus a new session was created. When I removed this file everything worked. I now need to recap my steps to understand why I used the context.xml in Jboss 4.2.3 and if I need to use some of the configuration there.