Sessions are used for maintaining user specific state, including persistent objects (like handles to EJB components or database result sets) and authenticated user identities, among many interactions.
For example, a session could be used to track a validated user login followed by a series of directed activities for a particular user. For each request, the client transmits the session ID in a cookie or, if the browser does not allow cookies, the server automatically writes the session ID into the URL.
The default for a given level is the setting at the next level up.
If desired, set the session to time out after being inactive for a defined time period or invalidate it manually.Alternatively, invalidate the session manually with the deployment descriptor file.