Using a test automation application as an example, this article demonstrates how WebSphere Application Server's HttpSession capabilities can be exploited to secure Java servlet Web applications, at a level of granularity lower than that of the J2EE programmatic security model.