Consider the following use-case:
- A user has been inactive for 10 minutes
- His session has been timed out.
- On the next click the user will go back to the login page
If I want to show a message that shows to the user that his session has been timed out, I need to handle that manually, using an HttpSessionListener (from the javax.servlet API). It would be nice to have a built-in feature for that in Spring Security.
As a suggestion, Spring Security could add a boolean request attribute called "sessionTimedOut".
Then it will be easy to display a message in the login page in case this boolean is set to true.