Hi Silvio,
The HttpSession is a server object and thus its lifecycle is managed by the server. Applications should not try and hold references to these objects, as you've discovered ;)
There isn't an api provided by the spec that would allow you to randomly access any session by its id. I wouldn't encourage you to try and use any jetty-specific apis to do that either, as once again you could wind up in a mess trying to manage session lifecycles that are designed to be managed by the container. So I don't see any easy way of proactively invalidating and removing a session that is not part of the current request.
Instead, you could investigate an approach like:
+ set a reasonably short timeout on sessions (tuned to your app's usage): if the user logs in again somewhere else and never refers to that session again, it will timeout
+ keep a map of user -> sessionid that is the currently "valid" one, and use a filter in your app to check if the user,sessionid tuple of the current request is in that map; if not, invalidate the session or just reject the request and let the session timeout
An alternative approach would be to do a custom LoginService or jaas LoginModule that prevented a subsequent login if the user is already logged in. You would still need to manage and consult your own map of logged-in users.
cheers
Jan