I don't know where you got the idea that
J2EE sessions were assigned on a per-window basis. They aren't, and they never were, and that applies to ALL J2EE, not just to JSF and has since the beginning. Each
webapp normally gets its a separate session per client, but a client (browser) would not normally get multiple sessions with one webapp.
It's possible, but dangerous to create multiple session IDs IF the user has cookies disabled, but that's not the way most people operate, which is why it's so dangerous.
Other than that, the actual rule is that each browser executable has its own set of cookies and therefore its own session, but the cookies themselves are shared by each and every window owned by that particular executing instance of the browser application. For IE you get exactly one and only one IE for the entire OS.
For Firefox and most of the other browsers not welded into the OS itself, you will USUALLY get only one instance, but you can sometimes force a new instance, but that's also not something you want to depend on casual users get get done right.
On a less technical note, I personally don't like webapps that pop up windows all over my (already-cluttered) screen, and the only way to repel me as a customer faster is to make the app require Flash to be usable.