Regarding Servlet 3.0 programmatic security, when a session times out there is no way to invoke HttpServletRequest#logout(). 

Upon session destroy, does the user remain logged into JAAS?

If so, what is best practice to handle logging out of JAAS after session times out? 

If the user shortly thereafter requests to login again, how does the container handle such a request after session timeout?

Do any of the following three approaches provide a means to handle JAAS logout upon session timeout:

1. HttpSessionListener#sessionDestroyed()
2. Make the @Named @SessionScoped LoginManager implement HttpSessionBindingListener and do something in valueUnbound.
3. Annotate a method in @Named @SessionScoped LoginManager with @PreDestroy.

Any suggested approaches or best practice advice regarding this subject would be greatly appreciated.