This is more preferred way to set session time out in web.xml.
<session-config>
<session-timeout>30</session-timeout>
</session-config>
And to validate the each request(whether in same session or not) do the following steps
1. if login success, put a flag(user name in your case) into the session.
2. Create a filter which intercept each request.
3. Inside filter check whether logged user or not(to check logged user extract the flag info(here user name) from session ).
4. if logged user then continue otherwise redirect to the login page
private void loginSession(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException{
HttpSession session = request.getSession(true);
Object user = session.getAttribute("username");
if(user == null){
}else{
}
}