I agree with Sean. I will add that a good practice for this type of checking is to use a Filter

See here Servlet Filter

Just take the code Sean have written and put it in a Filter instead. Define you filter in the web.xml and every time a request come in, the filter will execute.

This way you can validate if the user is auth. without cluttering your servlet code.

No need to store the httpSession in your own hash.

Look at the api for the HttpServletRequest. If you look at getSession(Boolean x) (pass false so it doesnt create a new session) will determine if the session is valid. Here is an example

public void doGet(HttpServletRequest req, HttpServletResponse res){
    HttpSession session = req.getSession(false);
    if(session == null){
       //valid session doesn't exist
       //do something like send the user to a login screen
    }
    if(session.getAttribute("username") == null){
       //no username in session
       //user probably hasn't logged in properly
    }

    //now lets pretend to log the user out for good measure
    session.invalidate();
}

On a side note, If I read your question properly and you are storing the information in your own map, you need to be careful that you don't create a memory leak and are clearing the entries out of the hash table yourself.

Rather than checking if a saved session is valid, you should be looking at the HttpServletRequest on your servlet, and checking isRequestedSessionIdValid() on that. When working in servlets you can always get Session from the Request, rather than saving it to a hash table.