How do I share sessions between two server instances, one secure (HTTPS) and one normal (HTTP)?

The management of sessions is handled by your servlet container. That is, you will never have to write any custom code so you can share sessions between servlets - it is already handled for you. The entry point from the servlet container to your servlet will always be the service(HttpServletRequest req, HttpServletResponse res) method. Since this method takes an HttpServletRequest object as a parameter, you can always call getSession() to access the HttpSession.

As far as having two servlets - one for HTTP and one for HTTPS - these should behave basically the same. All of the HTTPS encryption/decryption is hidden from the servlet. Unless your HTTPS servlet needs to have some code to ensure it is processing a request whose protocol is HTTPS, these two servlets should be pretty much the same.

See also Can I move between http and https-based resources while sharing the same session? in the JSP FAQ.

[If the two servers are actually distinct, then you'd have to find some way of tunneling the data across. Hidden fields are probably your best bet, although that may not suit your security policy. -Alex]