Thanks for the response and the digging, but I'm not quite sure what to do with the answer. Are you saying that what I am getting is expected behavior? I'm not explicitly making a call anywhere to getCookies or getSession--it happens automatically "under the hood" so to speak through my use of session scoped JSF backing beans and JSF translated to jsp pages.
Maybe what I should do is add a call HttpRequest.getSession(false) when my login form is activated? I will give that a go. Sorry for the delayed response--I'm in the midst of having my team deploy two rather large glassfish apps.
Jason
[Message sent by forum member 'jrobey' (jrobey)]
http://forums.java.net/jive/thread.jspa?messageID=301705