Almost certainly this is due to your misunderstanding/misconfiguration of how session timeout works in Tomcat.
Seam isn't squirelling away references to components in some secret session-like place ;-)
could you give me a hint?
i didn't configure anything about the session in tomcat. now i reduced the session-timeout attribute in the web.xml to one minute, but only for testing.
it seems like the session isnt destroyed or the new session after session timeout has the same session ID as the old one even if the user changes...
or could it have to do something with