When the session is destroyed (e.g. due to logging out), then its conversations are destroyed right away, in the session.invalidate(); call. According to the spec, this is wrong.
CDI 1.2 spec 6.7.4. Conversation context lifecycle:
When the HTTP servlet session is invalidated, all long-running conversation contexts created during the current session are destroyed, after the servlet service() method completes.
(CDI 2 spec early draft makes the same statement in 19.3.4 Conversation context lifecycle in Java EE.)