I have a technical term that I use when describing security systems such as what you have outlined. That term is "hacked".
No joke. Over 90% of all the "write-your-own-login" systems I've seen over the last decade or so working with
J2EE have been easily exploitable by non-technical people in 10 minutes or less. Unless you are a full-time formally trained security export,
you should not try writing your own login/security system. Nor for that matter, using one created by some in-house "genius". Security is very much a weakest-link thing and if it's something you have to do in addition to your main job, you shouldn't be doing it at all. Use the pre-written security system that comes standard as part of J2EE/JEE. Because that system
was designed by full-time security experts and it avoids such common mistakes as "obtaining user credentials and comparing one with existing in DB".
It will also maintain (or create) a session. The jsessionid value changes, but that's for security reasons. The actual session and its data do not.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.