When I set crossContext="true" this version of Tomcat allows Session attributes from one webapp to be accessed from another. This is a violation of SRV 7.3 Session Scope. I have example code to reproduce the error if necessary.
*** This bug has been marked as a duplicate of 4690 ***