that's on purpose, the cookie jsessionid used has the property to do that. is that a problem for you ?
otherwise the remember me will not work. the problem is that once a cookie has been sent, it's lifetime cannot be changed anymore.
The problem you describe is probably caused by the way Internet Exploder handles cookies. The session id is stored in the cookie and different instances of IE share this information when 'pointing' to the same site.
Do not consider circumventing this problem by sending the session id in URL... Bad practice.
In another project (where JBoss is not involved) one of our manager has a dual role: manager and regular user. He wants to have two (2) distinct ids and sometime he wants to have a window opened with his manager id and another window with his regular user id.
In another circomstances it could be usefull to have two windows with two different ids just for testing purpose.
The "Remember me" mecanism is very nice but when someone chooses to NOT use it, the system should not be limited or restricted the way Julien has described. When the "Remember me" is not checked, the cookie's expiration date should be set to zero (meaning as soon the user close the window) and when the user log out, the cookie should be remove and the session invalidated.
In fact, the "Remember me" cookie (with a long period of existence) should be distinct of the SessionId cookie.The Remember me cookie would be handled by Nukes and the SessionId cookie by the Jetty/Tomcat engine itself. It is clear that when a user log in (not using the "Remember me" mecanism) a new session is created.
How do you open the second browser window?
In my experience you can logon to applications using true servlet-sessions (and not the concept used by most *nukes: ip-address...) by starting two instances of the browser.
If you press "ctrl-n" in your browser this normally gives you a second window, but no second instance. If you (windows...) double-click a second time on the browser's icon, this usually gives you another instance with separate cookie-management.
A possible problem might be, if you use persistant cookies. I know the above description works perfectly when I have cookies that are only valid for the actual session...