Hi, David.
There is one detail, Tomcat uses so called (I think) persistent
sessions. Meaning...
If you close Tomcat, it creates a file
($CATALINA_HOME/work/Standalone/yourwebapp/SESSIONS.ser) where present
sessions are serialized.
Also when you restart Tomcat, that file is deleted. So basically
When I shut down Tomcat, shouldn't HttpSessionListener.sessionDestroyed() be called
for each existing session?
When users authenticate to my application, I store their username and encrypted
password in a database where it's associated with their session. When the session is
destroyed, I have