Using the default <session-timeout> setting for JSP, I want to show an "Your session expired (30 min)" message after the session expire and bring the user back to the login page.

To use ((HttpServletRequest) request).getSession(false) == null to detect it isn't doing the job properly, because the session will be null already at the first time the user enters the application, making the message pop right on.

How can I avoid this? Is there a way to customize JSP's HttpSession so I could know when the real event happened?

How about setting a cookie indicating last login? If the cookie is valid and url is not login url, then the session timeout message can be shown.

How about using request.isRequestedSessionIdValid() method (pseudo code):

if(request.getRequestedSessionId() == null) {
  // no session yet -> need to create new one
}
else if(request.isRequestedSessionIdValid()) {
  // we have valid session
}
else {
  // session invalid due to timeout -> handle timeout
}