Okay, so, I went source diving to find this, but eventually got it.
Re #1: The sessionIds are generated by com.sun.enterprise.util.uuid.UuidUtil, which uses a combination of the following.
a) the 2 low bytes of the present time formatted
b) System.identityHashCode of the session instance
c) the ip addr of the machine plus some random
d) a random number from a SecureRandom
And all numbers are formated as hex.
So, Re #2: I'm not an expert on the theoretical guarantees of randomness, but I would classify this as pretty-damn-near-guaranteed-unique.
[Message sent by forum member 'rwillie6']
http://forums.java.net/jive/thread.jspa?messageID=467893