My goal is to be able to create LoginFilter class which will be invoked before any of my restricted servlets can be displayed to the user. If the user has already logged in with a correct username/password, then let them proceed to the requested servlet, else they can be directed to the LoginServlet which will force them to enter a username/password
So as long as they enter the correct username password and use the same browser, the user should remain logged in.
The authentication is done via some simple file where we validate the username/password.
Also if someone can let me know how to timeout a stale session and logout a user, that'd be super awesome!
Why are you re-inventing the wheel? All of this is already a part of the J2EE spec. If you have a look at the various authentication parts, BASIC, FORM etc, they all provide the behaviour you describe.
The advantage they have by being declaritive rather than progragramatic is that additional pages pick up the security just by being placed in the right location. They don't require you to remeber to add security code to each of the pages.