When HttpSessionListener is executed, illegal class loader is set to the context classLoader. I think that the problem is in CoyoteAdapter#parseSessionCookiesId method. JSESSION COOKIE is parsed in this method, and sessionId is set to the request. To check sessionId, Request#isRequestedSessionIdValid method is called in this method. And, Session#isValid() might be called in Request#isRequestedSessionIdValid method. However, the context class loader of a current thread is StandardClassLoader. It is not WebappClassLoader. For instance, When the session has already passed session-timeout, Session#expire is executed. At this time, the context class loader of the thread that executes HttpSessionListenner#sessionDestroyed is StanderdClassLoader. This is not good. The context class loader of the thread that executes HttpSessionListenner should be WebAppClassLoader. Best regards.
This has been fixed in trunk and proposed for 6.0.x. Thanks for the report.
The patch has been applied to 6.0.x and will be included in 6.0.23 onwards.
I reopned this bug. This is not fixed against 5.5.x. therefore, proposed for 5.5.x.
This fix applied to 5.5, will be in 5.5.30 onwards.