You're right that this is undefined and hence allowed. However, it could be tricky to write tck tests which assume the http session can be persisted. I'd recommend to add this requirement to the Configuring your application server to execute the TCK section. I doubt that there is a servlet container which only supports session passivation.