If the cookie were gone, there would be no way to reassociate the user with the session. So it would never used again. An HttpSession that could never be reassociated with a user would be garbage, and for all practical purposes, invalidated. (Though it would still exist as an object.)
The cookie is not eliminated when the browser closes. It's reused until the cookie expiration date passes.
Though VERY ambiguous in the
Servlet spec, I believe the session-timeout element is different from what you call "sessionLive." I believe the container periodically looks for expired HttpSessions. I would define InactivePeriod as measured from the LastAccessedTime to now, irrespective of creation time. The primary concern is reclaiming
inactive session objects. I understand your interpretation, though.
Someone needs to rewrite the DTD where it defines:
"The session-timeout element defines the ... session timeout..." Doh!
PS To Add one other odd detail:
According to the DTD:
* If the timeout is 0 or less, session will not expire.
According to the API:
* setMaxInactiveInterval(int interval)if interval<0, session will not expire.(if interval==0, session expires immediately. Wow! Somebody fix that!)
For cookies:
* A negative value means that the cookie is
not stored persistently and will be deleted when the Web browser exits. A zero value causes the cookie to be deleted. (Though different it makes sense, because cookies must have some timestamp.)