Questions about session tracking

I have a web application which requires user registration and login.
I am kinda new to session tracking.
My questions follow:
1. When do I need to create a session object by
HttpSession session=request.getSession(true);
? (The question mark should be here, right? )
Should I do this right after the user's password is verified and logged in?
2. Suppose that a user is successfully logged in, and the session object has been created, and then he clicks "Change My Profile" on the webpage, what should I do? Should I check something with the session object before I connect to the database to get the user's personal information for him to make changes to it?

1. The session object is created behind the scenes when that client makes its first request. getSession() is just getting a handle onto the already existing session object.
2. If you are authenticating the user via one of the techniques in the Java Servlet spec (e.g. HTTP basic, digest, form) then you can use the method HttpRequest.getRemoteUser() to get the name of the user that was logged in and use that to look up your database of profile information.