There is one more thing that you don't have to make a entry in web.xml for the same (alike other Listeners) why it is so?
The reason is that when an object is added to or removed from any session, the container introspects the interfaces implemented by that object. If the object implements the HttpSessionBindingListener interface, the container invokes the valueBound or valueUnbound methods respectively. These methods are called even if the session is explicitly invalidated or timed out. The arg passed into the methods is of type HttpSessionBindingEvent.
Consider this : If session timeout and login info is stored as HttpSessionBindingListener object the value unbound method will be called. You could this method for example log some auditing messages that user has been logged out because of timeout.