Several comments. 1. Why are you first creating a session then checking the password? I would think you'd want things the other way around: first check the password, then create the session only if the password is correct. 2. Why are you trying to get the password from the attributes of the session? That's not where the system puts it for you. (If you want to check what kinds of things *do* get stored as attributes, HttpSession.getAttributeNames() gives you an Enumeration of attribute names you can play with. (Working with an enumeration is similar to working with an iterator -- I gave an example of that just a few weeks ago.) Given your code, I'm reasonably confident your session doesn't have any attributes, but it's fun to check these things for yourself.) 3. Your cast (String)session.getAttribute( "pass" ); is a risky operation. HttpSession.getAttribute(String) only guarantees to return an Object (or null). (Yes, I know all Objects have toString(), but you're casting here and setting yourself up for a ClassCastException if the attribute is anything but a String.)
Parameters are Strings, attributes are Objects. It would behoove you to remember that when dealing with servlets. A simple enough lesson to learn, but a fact that seems to cause many a new servlet developers much consternation
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.