How does a portlet know when to cleanup entity based resources?

[ri...@peoplesoft.com]

I've read the JSR-168 spec and I don't see a way of cleaning up resources
related to a user's use of a portlet (a single placement on a page)... The
only thing close which is talked about in the spec (PLT.5.2.5) is the
portlet.destroy, which is not at all related to the portal user doing a
"logout" type of operation...

My assumptions are that the user can place a portlet on their page at any
time during their session in the portal and also remove it from their page
(without logging out of the portal). I'm assuming that if they re-add my
portlet during the same session I will pick up the state of the prior use
in the session (or not?). But what happens when they logout?

The closest I can come to this functionality is to add a session attribute
that identifies the user-instance, then add a HttpSessionBindingListener to
that... and respond to the unbound event. Will this work for all portals?

p.s. This is of interest to me because of it's relation to the
releaseSessions in WSRP... which could lead to D.O.S. vulnerability if we
just wait for the inactivity timeout.

Thanks for your time...