This week's book giveaway is in the OCPJP forum. We're giving away four copies of OCA/OCP Java SE 7 Programmer I & II Study Guide and have Kathy Sierra & Bert Bates on-line! See this thread for details.
1) I agree. Once a session has been invalidated or timed-out requests can no longer see the session. Otherwise what is the point of invalidating the session. Bogus callers would be able to hijack invalidated sessions.
Joined: Nov 28, 2004
Thanks for your answer.
I see you agree with step 1). Since you don't say anything about the rest of the sequence, I think you agree with it.