ATM session destroyed event is bound to the request. this means a logout will not be able to access the right session when destroyed since most of the time logout = session destruction and then you can recreate a session (login case).

Would be great to align CDI scopes - and then events - to the real lifecycle of the underlying observed event.