If you want to make sure, the paranoids that have even session-cookies OFF, won't spoil your beautiful concept, then there is a little more work involved.
For this case you have to do a little URL rewriting with the encodeURL of the HttpServletResponse object.
public java.lang.String encodeURL(java.lang.String url)
Encodes the specified URL by including the session ID in it, or, if encoding is not needed, returns the URL unchanged. The implementation of this method includes the logic to determine whether the session ID needs to be encoded in the URL. For example, if the browser supports cookies, or session tracking is turned off, URL encoding is unnecessary.
For robust session tracking, all URLs emitted by a servlet should be run through this method. Otherwise, URL rewriting cannot be used with browsers which do not support cookies.
url - the url to be encoded.
the encoded URL if encoding is needed; the unchanged URL otherwise.
In addition to that, make sure you understood, that there are not several instances of you servlet (or jsp page).
There is always exactly _one_ instance and you share this instance with all other current users. Concurrent usage is handled by leading multiple threads through this instance. This can be quite fun if you expect a field to be in the state you left it on your previous visit, but had visitors in the meantime.