Session management in highly scalable web sites


Every application server has its own session management implementations for supporting high scalability. But an application architect/developer has to design and implement the application to make the best use of it.

What are the guiding principles and pattern for session state management?

Websphere System management red book mentions that "Session management performance is optimum when session data per user is around 2Kb. It degrades if session data is more than that".

I have following questions.
1. How do you measure session data per user?
2. It is generally recommended that you should keep all the session state in database and keep only the keys in HttpSession object. Then everytime a web request is processed, session data is fetched from the database. This way all the data remains in memory only till the request is processed and actual data in HttpSession is very less. (Only few keys).
What is the general practice?
At what point you should be switching from keeping data in HttpSession to database?
Are websites like Amazon or eBay follow this?
3. Is there any open source framework which helps you do session management in a way mentioned in point no. 2?