You don't need a listener for this.
When the user logs in, bind an object to session (let's call it 'userBean').
With every subsequent request, check for the existence of this object.
If request.getSession().getAttribute("userBean") is null then the user has either not logged in or has let their session time out.
In that case forward or redirect to the login page.
A filter makes it easy to put this checking fuctionality in front of every request without having to update all of your
servlets.
I have an example app that does this on:
http://simple.souther.us/not-so-simple.html Look for SessionMonitor