I only use the HttpSession as a last resort. I will always favour the stateless approach using: 1. Page activation context (onActivate() / onPassivate() or @PageActivationContext) 2. Event context (actionlink / eventlink) 3. Posting hidden inputs
One caveat to this is that the logged in user is always HttpSession scoped for security (never trust a url). In my opinion, users who are not logged in shouldn't require a session. This has many benefits: 1. Improves scalability by reducing server load 2. Makes your links bookmarkable 3. Allows multiple browser tabs to the same page(s) without conflict 4. Makes clustering easier Some further reading https://tapestry.apache.org/performance-and-clustering.html
