There were a couple of things that I did that sorted this out completely. 1. Double checked the server was using J2EE sessions. 2. Set the maximum timeouts to the same values as the default timeouts in the CF Admin. 3. Set the session-timeout in the web.xml file to a little more than the settings in CF Admin (I added 5 mins). 4. (This is the bit I was missing). Set the setClientCookies var in the application cfc/cfm to false. Because I was missing the last piece, the CFID and CFTOKEN cookies were being issued as well as JSESSIONID. This was causing clients to hold onto the CFID/CFTOKEN combination (sent to the client) when the JSESSIONID (held in server memory) had long since expired. CF was trying its best to reconcile both the CFID/CFTOKEN combination with a valid J2EE session and was failing as the J2EE session no longer existed and was null... hence the error "Session is invalid null" http://old.nabble.com/Session-issues---In-words-of-one-syllable-please-:-)-td23097938.html