I recommend you to implement some kind of auto-login feature in your application. There are a number of possibilities for that (Client Certificate, or Single Sign-On with some other AA provider, even domain cookie).

If you are trying to log in with another application, your options are HTTP Basic Authentication, Client Certificate, or simply posting the username/password to your login page (this one is not the safest, though).

I prefer the Client Certificate, since that is the safest solution.

If you really want to hack the JSESSIONID (which I don't recommend), you can do the following way:

• Write a Servlet Filter
• In that filter write a wrapper for the HttpServletRequest (a new instance of this class must be passed to the chain.doFilter()) (let's call it RequestWrapper)
• In the RequestWrapper override the getSession(boolean) method

In the getSession(booelan) implementation you have to

• Identify (and remember) the session you want to 'share' with the non-keyboard user (this should come first)
• Identify the situation when you want to make the 'change' (when with some kind of check you identify your non-keyboard user)
• When you have to 'change', you can return the remembered session from the getSession()

The key moment is: How do you identify your non-keyboard user? If you can't do it safely (from the current information you provided I cannot see it), it is a security hole.