You need to put more context around this. What does 25 and 253 mean? Who is "they" and who are the "other entities". Just offhand though, this sounds more like a session management issue rather than something specific to BIRT. Maybe information from the query string is being placed into the application scope rather than the session or request scope. Again, need more context.
Your questions are architectural in nature and I could not honestly answer one way or another based on what you have given. That being said, I am surprised that you are programming servlets directly. On any modern web-based application of significant size and importance, one of the first architectural decisions would be to settle on a framework to use to abstract away most of the intricacies of programming servlets so that you are dealing more with dispatching requests to appropriate business services and creating appropriate views and responses from a high-level point of view rather than from a low-level "plumbing" point of view.