Truth is, there is no standard HTTP status code for a session timeout. Sessions are implemented in the application layer, not the HTTP transport layer.

There is a custom status code that Microsoft have been using for session timeout: 599, or simply make up your own status code in the 5xx range.

From the Status Codes Wiki:

599 Network connect timeout error (Unknown) This status code is not specified in any RFCs, but is used by Microsoft Corp. HTTP proxies to signal a network connect timeout behind the proxy to a client in front of the proxy.

I use the custom status code 599 for a session timeout and then check for it in the AJAX response.

I believe the appropriate code is going to be 403/Forbidden. There aren't any that are directly related to sessions.

For non-Ajax requests, I use a 302 redirect.

For Ajax requests, I use 200 for known errors. That way I can take advantage of the data object. I find the data object easier to work with than parsing jqXHR for info. And then I don't need to worry about what HTTP status code to try to re-purpose for my situation.

jQuery Example:

$.ajax({
    //send data to server
})
.done(function(data, textStatus, jqXHR) {
    if (data.success) {
        //then process return data
    }
    else {
        //get error type or message from data object
        //could use custom error codes
    }
})
.fail(function(jqXHR, textStatus, errorThrown) {
    //handle unknown errors
});

As per the Wikipedia link of Http Status Codes provided above by Bobo:

440 Login Timeout (Microsoft)

    A Microsoft extension. Indicates that your session has expired.

What about 419 - it is not standard, but the description on Wikipedia seems to fit:

419 Authentication Timeout

Not a part of the HTTP standard, 419 Authentication Timeout denotes that previously valid authentication has expired. It is used as an alternative to 401 Unauthorized in order to differentiate from otherwise authenticated clients being denied access to specific server resources.

Technically, the accepted answer is of correct: If you already know for sure that you are going to be failing the request, and you are asking which failure code to return, then HTTP 401 "Unauthorized (Unauthenticated)" is the appropriate one, so as to prompt re-authentication.

But first of all, ask yourself: should you fail the request?

Consider that the user may simply be visiting a public page of your website, in which case you are going to be slapping them across the face with an "Unauthorized!" message, and requiring them to re-authenticate, in order to see a page that they would normally be able to see without authentication. That's not cool.

My advice is to ignore the fact that the session token is unknown, and simply proceed to generate a new session token and create a new session for it. The initial state of the session will of course be "not-yet-authenticated", so if the user is trying to access a non-public page, then the page will see to it that they receive an HTTP 401 "Unauthorized (Unauthenticated)" and must authenticate. But if the user lands on a public page, they won't notice anything different.