Sessiontimeout ignored with J2EE sessions
When using J2EE sessions, the application's SessionTimeout parameter is ignored. Instead, sessions time out according to the default session-timeout parameter in tomcat/conf/web.xml.
For my testing, I set the Tomcat default session timeout to 1 minute, and the application's session timeout to 5 seconds.
please give this a try
Problem is when the expired is reached it is up to the controler to remove the session, but if the controller did not yet remove it and the session is requested, it is still returned. you could argue that this is not a bad things, even the session is marked to remove, why not using it, when it is still around. mostly we do have an expired time only for keep the memory in check. But it is invalid and should be corrected.
Okay.. Micha will confirm about this issue.
You confirmed things work as I described it
As far as I am aware, in ColdFusion both application and Tomcat session timeout apply. Both timers will end the session, whereas Lucee seems to completely ignore the application timeout.