Please see the Tomcat bug:
http://issues.apache.org/bugzilla/show_bug.cgi?id=36541
It might not be so bad if developers could actually access all of the places the HttpSession is accessed to synchronize everything. JBoss may be affected by this as well.
Apparently issues with this JBoss forum....the title included Tomcat 5.5.x when I submitted it. Both versions are affected with Tomcat 5.0.x being worse.