DB Cleanup on Session timeout and logout

Just a quick question. On login I put every user into a db because one time only one user can log in with the same username and password. If this user is already in the db I dont let the user in. When the user logs out I clear the dB table and invalidate the session in a Servlet. Now if the user forgot to logout, the session obviously will be expired at eg. 20 minutes so In web.xml I created this:

<listener>
    <listener-class>com.servlets.dbclean</l开发者_JAVA技巧istener-class>
</listener>

This dbclean class then implements HttpSessionListener and on the sessionDestroyed method I clear up the db. My question: is it enough to have this db cleanup happen only here, because when the user logs out manually the session will be invalidated and this method will be called or should I clean up the db at the /doLogout Servlet and rely on this Listener when the user forgot to log out? So is it a save way to use only this Listener?

The listener will be triggered when the session is invalidated - either by timeout or by calling invalidate()

If you don't need to support clustering, you can simply store the logged user in a Set inside the ServletContext (do it in on sessionCreated(..), and then remove it from that Set in sessionDestroyed(..). No need to go to the database - it can all stay in memory. (Using session replication you can do this in a cluster as well)