1) I agree. Once a session has been invalidated or timed-out requests can no longer see the session. Otherwise what is the point of invalidating the session. Bogus callers would be able to hijack invalidated sessions.
Joined: Nov 28, 2004
Thanks for your answer.
I see you agree with step 1). Since you don't say anything about the rest of the sequence, I think you agree with it.