By default, a cookie lives only as long as a session; once the
client quits his browser, the cookie disappears. That’s how
the “JSESSIONID” cookie works.
But after that there is a question
Which statements about HttpSession objects are true?
(Choose all that apply.)
A. A session whose timeout period has been set to -1 will never expire.
B. A session will become invalid as soon as the user closes all browser windows.
C. A session will become invalid after a timeout period defined by the servlet container.
D. A session may be explicitly invalidated by calling HttpSession.invalidateSession().
Based on the first quote the option C should be correct, but it's not! is there any explanation why? any trick of the question or the quote?
The server can't tell if a client closed the browser window, or is just sitting there inactive.
All of the other questions appear related to the session timeout and invalidation, and look fine to me.
Of course if the browser window is closed, the client no longer has its session cookie, and can't get back into the session on the server - unless you kept a copy of the cookie (you hacker)