As a general statement, when the system notices that the session has been inactive for a period greater than the timeout (I dont know if the API requires this order.
1. container obtains synchronization lock on session
2. the session is marked as invalid
3. all listeners are notified
4. all references held in the session are set to null
Now for the specific - here is the code from
Tomcat 5
Thats what I love about open source software you can answer questions like this by looking at the code.
Bill