The class org.jboss.metadata.parser.jbossweb.JBossWebMetaDataParser doesn't support reading "flushOnSessionInvalidation" attribute on "security-domain" element. And also the schema files for jboss-web.xml doesn't mention this attribute.
The class org.jboss.metadata.web.jboss.JBossWebMetaData contains the attribute flushOnSessionInvalidation, which comes from old JBoss versions (3.2 and 4.0). The description says:
The jboss-web.xml security-domain element now supports a flushOnSessionInvalidation boolean attribute that when true, will flush the security-domain JAAS authentication cache for the associated user principal.
This attribute is also supported in WildFly integration with Undertow (look at source), but the code is never reached as the flushOnSessionInvalidation attribute value stays always false.