if another user logged in from another location (s)he could see the state of the first users session.
This is not right. This application was badly designed from the beginning on. This can happen when you're storing request and/or session-scoped data in a static
variable or in the application scope. This is not right. Request scoped data should be stored in non-static
variable in a request scoped bean. Session scoped data should be stored in a non-static
variable in a session scoped bean.
In other words, stop using static
variables until you really understand what that means and don't store the data in a too wide scope.