When session is timed out, then it is eligible for invalidate. At this time the session will not be invalidated. If the application implements HttpSessionListener, it notifies that the session is about to invalidated via. sessionDestroyed() method. If we want to cleanup any resources, that should be placed there. After everything is done, then the session will be invalidated.