Right. session is an implicit scripting variable, and the JSTL has no access to scripting variables. Remember, the whole purpose of JSTL is to minimize/eliminate on-page scripting. JSTL's variable focus is on "scoped variables" -- attributes placed on the page, request, session and application contexts. As such, JSTL is most useful in an environment where the JSP pages have controllers that set things up -- including scoped variables -- on behalf of the page. It takes a little bit of turning your thinking around from the days when scriptlets were the norm, but once you've adjusted your thinking, it's amazing how much simpler doing things the JSTL way makes your life and the JSP pages. For your example, the controller could set up a collection/array of the names it read from the session to use with the forEach action.
For a slightly more interesting example: let's say that your page wanted to show both the attribute names, as well as their values. The controller would set up a Map of the name value pairs -- let's say as request attribute "sessionAttributes":
Joined: May 14, 2003
Ah! That clears up a few things. Let me update my code and try again. Thanks! L