Once the session expires... this code never gets called by tomcat. So I am not really sure what you are thinking about? -Dennis
that is cause you have protected every single resource in your webapp and require login for that. hence, every single resource is bound by the session existing or not. in order for you to call (request.getSession(false)==null) that resource can not be protected by security constraints and required login information. Filip --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]