Are you using container managed security (i.e. configured in web.xml)? If yes, to answer your questions:
1) The session is created during the request that creates the login page.
2) FORM based authentication won't work without sticky sessions. If you post the login form to a different server than the one that issued it, it won't work.
3) Session cookies are scoped either to the webapp or the host, so if you change hosts the browser will not present the session cookie, so that won't work.