According to the servlet2.3 specification, a new session should be created for each web application, even if the application is accessed through RequestDispatcher. So if a servlet1 in application1 access a servlet2 in application2 via the RequestDispatcher, each servlet should have it's own session. For tomcat 4.0.4, the same session is shared between the servlets.
*** This bug has been marked as a duplicate of 4690 ***