Regarding your first question: you should not use the session to store temporary data like this.
Let's take a more realistic example. The form is used to create a product. The POST request contains all the information of the product. So the servlet gets this information from the request parameters, creates a row in the product table of the database and generates an identifier (primary key) for this created product. And now the servlet should redirect to the page displaying the created product information. So it should redirect to this kind of URL:
/product?id=<theGeneratedProductId>
or
/products/<theGeneratedProductId>
The second servlet will then get the ID of the product from the request parameters or from the request URL, get the product information from the database, store a Product object in a request attribute, and forward to the JSP displaying this product.
Regarding your second question:
<%= request.getAttribute("firstName") %>
is translated by the JSP compiler to the following Java instruction (this is not entirely correct, but you should get the idea):
response.getWriter().print(request.getAttribute("firstName"));
So you understand that adding a semicolon would translate to
response.getWriter().print(request.getAttribute("firstName"););
which would be invalid Java code.
You should NOT use scriptlets in your JSPs anyway. So try to forget that scriptlets exist, and learn the JSP EL, the JSTL, and other custom tag libraries. You should instead write:
${firstName}
or, even better:
<c:out value="${firstName}"/>
which would make sure your HTML stays valid even if the firstName happens to contains characters that must be HTML-escaped, like <
, >
, &
, '
or "
.
Think about what would happen if a user submitted the following firstName, and if it was not escaped properly:
<script>alert('Got you!');</script>