The SessionManagementFilter always creates a new session before redirecting to invalidSessionUrl.
I think that is a waste of resources and absolutely not necessary. Isn't it a little bit strange if a new session is created before the user gets redirected to a page which says "session timeout"?
BTW the message
"Starting new session (if required) and redirecting to '/main/error/invalidsession.htm"
which is logged before request.getSession() is a little bit confusing ("if required") as the session gets always created afterwards.
Maybe I get something wrong but if not, please change the code to not create a new session (in any case).