HttpSession is an object created on demand - and not before. It would be possible to create a JSF webapp that had no session scope objects at all, and therefore no HttpSession. Furthermore, the traditional way to log out of
JEE container security was to
destroy the HttpSession, which by implication destroys all of the objects stored in session scope.
However, the Application and Session scopes maintain application state for the remote user between Http requests. And, since these are the same object containers are regular JEE uses, their state is available to non-JSF application components - JSF is not a greedy framework and for certain tasks, it's better to use a non-JSF
servlet or
JSP, so it's useful that they share the same state space.
The ViewState is just the working storage for component tree persistence and form data in transit. It isn't used by the application code, only by JSF internally. When you submit a form, the JSF Restore View lifecycle step re-constructs the View Component Tree for that form's View and posts the incoming data into the Component working storage for the form's values. However, JSF will not post form data values to the backing bean unless each and every form value passes validation. If even one form value is invalid, JSF will bypass the posting and action steps, add an invalid field message to the request's JSF Messages, and post the form back to the user, allowing the messages to be displayed according to how the user specified them on the View Template. And, incidentally, update the ViewState so that future renderings will remember the last thing the user id, and not lose input even when the input is invalid. The user is then allowed the opportunity to correct the invalid values and re-submit the form.
Once the submitted form has passed all control value validations, then and only then JSF will post the updated values to the backing beans and invoke the action method. The action method then returns with a navigation value or null, which indicates what View will restored and rendered back to the user.