If it were me I would clear the session on log out and create a bool in it called HasLoggedOut then set this to true. Then if this bool exists in session you know they logged out, if it doesn't then the session has either timed out or the user never logged in at all.

As you still cant differentiate between timed out and not logged in I normally make the decision that if they request an authenticated page I will just send them to session timeout page which also doubles as a login page that says something like

"Oops, we don't know who you are, either your session has timed out or you have not yet logged in please login below"

This then caters for both scenarios

On login, set a cookie with a long expiry (> 24 hours). Remove this cookie at logout time by setting the maxage to 0.

You can have check for any non-logged in user (i.e. invalid session id). If the cookie does not exist, redirect him to login.jsp

If the cookie exists, it means his session expired so redirect him to session-expired.jsp

You can test expired sessions by checking if HttpServletRequest#getRequestedSessionId() doesn't return null (which means that the client has sent a session cookie and thus assumes that the session is still valid) and HttpServletRequest#isRequestedSessionIdValid() returns false (which means that the session has been expired at the server side).

In a nut:

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws ServletException, IOException {
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;
    HttpSession session = request.getSession(false);

    if (request.getRequestedSessionId() != null && !request.isRequestedSessionIdValid()) {
        response.sendRedirect(request.getContextPath() + "/sessionexpired.jsp");
    } else if (session == null || session.getAttribute("user") == null) {
        response.sendRedirect(request.getContextPath() + "/login.jsp");
    } else {
        chain.doFilter(request, response);
    }
}

No need to hassle with extra cookies. Map this Filter on an url-pattern covering the protected pages (and thus excluding the sessionexpired and login pages!).

Don't forget to disable page caching by the browser on the protected pages, otherwise the webbrowser will load them from the cache when you're going back in the browser history, instead of sending a new request to the server. You can achieve this by doing the following in the same filter, before Chain#doFilter() call.

response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
response.setDateHeader("Expires", 0); // Proxies.