I went deep and found out that there's no session timeout set for jetty and the default is -1 (not sure..). So, as sessions never expires and there's no expicit invalidation HTTP sessions live forever (tested with JProfiler).
I've also tested calling login.jsp with curl. It generates a session that never expires. The problem seems to be wider than a plugin problem.
The fix could be simply adding a session-timeout configuration to 30 or adding a maxinactiveinterval to some value just after session creation.
What do you think?
