How can an HttpSessionListener comunicate directly to an user web browser that his session has been destroyed by server web.xml "timeout" parameter?

Lasse Koskela

It can't.

The request-response nature of the HTTP protocol prevents us from sending "push" data to the browser.

When the HttpSessionListener.sessionDestroyed() method is called by the container, the session is already dead (the actual HttpSession object is alive, though). If the browser sends a request just before that moment (session still alive), the session timeout is renewed. If the browser sends a request just after that moment (session already dead), we cannot recognize the relation between "the session that was killed about 48 seconds ago" and the incoming request (which doesn't have an existing session, yet).