Serge,
the problem is that you have added a ConstraintSecurityHandler as the prime Server handler and it does not have a SessionHandler to create the session.
Note that within your WebAppContext, you will already have a SessionHandler and a ConstraintSecurityHandler, so you really should just configure those. However, you have an external ResourceHandler, which again is not strictly necessary as the DefaultServlet in the WebAppContext is able to server static content.
So you either need to decide to use the WebAppContext and all it's built in capabilities
OR
use a ServletContextHandler that will be able to build a structure like
Server -> ServletContextHandler -> SessionHandler -> ConstraintSecurityHandler -> ServletHandler
which you could modify to
Server -> ServletContextHandler -> SessionHandler -> ConstraintSecurityHandler -> HandlerList [ ResourceHandler, ServletContextHandler ]
OR
build your own structure like:
Server -> SessionHandler -> ConstraintSecurityHandler -> HandlerList [ ResourceHandler, ServletContextHandler ]
cheers