This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
As a general statement, when the system notices that the session has been inactive for a period greater than the timeout (I dont know if the API requires this order. 1. container obtains synchronization lock on session 2. the session is marked as invalid 3. all listeners are notified 4. all references held in the session are set to null
Now for the specific - here is the code from Tomcat 5
Thats what I love about open source software you can answer questions like this by looking at the code.