I think that's going to depend on what session manager you've got plugged in.
When a session times out or gets invalidated, the jsessionid for that session should have been removed from the session map, and if the session is not being abused, that would render it instantly available for garbage collection if in memory. I would hope that this deletion would also be reflected to the session manager which should then purge the persistent copy.
The real problem is what happens when Tomcat crashes and restarts with orphan sessions, and that's partly controlled, if I recall, by server.xml settings.
So I don't really know, and it has almost certainly evolved over the various releases of Tomcat. So I'd have to check on a per-release basis.
As for myself, I've just used the default manager and whenever I'm
testing or otherwise paranoid, I erase everything under TOMCAT_HOME/work, TOMCAT_HOME/temp and TOMCAT_HOME/logs before restarting Tomcat, So that resolves the question for me Gordian-knot style.
Although I think on production servers, I've left the persistent sessions alone and they simply proceeded as though Tomcat had never gone down. Restarted or not, sessions do eventually time out anyway.
Some people, when well-known sources tell them that fire will burn them, don't put their hands in the fire.
Some people, being skeptical, will put their hands in the fire, get burned, and learn not to put their hands in the fire.
And some people, believing that they know better than well-known sources, will claim it's a lie, put their hands in the fire, and continue to scream it's a lie even as their hands burn down to charred stumps.
