A "500" Response code is not a session timeout. It's an indicator that the application logic threw an Exception. Check your server logs.
Volodymyr is just passing on the advice I gave him. I've worked with
J2EE since before they named it J2EE and seen more user-defined logins than I can count, many in critical business functions. And every last bloody one of them had security holes!
Usually, in fact, non-technical people could crack the app in under 15 minutes.
J2EE defines a security standard. It was designed by full-time trained security experts, not as an afterthought by someone whose primary responsibilities were something else. It is already present in the server, fully debugged and operational and I've never heard of an instance of it being defeated. It also requires considerably less coding that user-defined security systems, plus the J2EE API defines standard methods to use it. That's why I recommend it.