I am not 100% sure of what I am saying now so you want to check.
Upon timeout, the session is invalidated. Hence sessionDestroyed(HttpSessionEvent e) should be called.
By implementing the HttpSessionListener, then checking inactive time
you should be able to achieve what you are looking for.