Session scope should only be used for user-specific data that needs to stick around for more than one request. For simply passing data from a controller
servlet to a JSP for display, the request is the correct scope to use.
When creating session data, especially in an environment where there are many users, it's important to be sure to release any data that is no longer being used to avoid unnecessary memory overhead. This leads some misinformed shops to disallow use of the session completely -- which is pretty silly. Just be sure to do a bit of housekeeping to make sure that session data doesn't hang around for longer than it needs to.
[ February 12, 2008: Message edited by: Bear Bibeault ]