What was the client using? A stateless session bean, a statefull session bean, a web app or something else?
You are right: the client was using a stateful session bean (directly) and stateless session beans (indirectly by means of the session bean).
The client should have logged in by means of the appropriate jboss extension.
I guess the session bean will be gracefully destroyed, right?