What Bozho has given you is correct, what you are seeing most likely is that when you press your logout button, the session is being destroyed, but the servlet container is then being directed to a "post logout" page, which automatically causes a session to be created (Hence "Session Destroyed" followed by "Session Created").

Short of creating your own session handling system, I don't know how you would get around this. (I've had this issue in the past and it disappeared after we created our own session system)

You can change the session timeout by HttpSession#setMaxInactiveInterval() wherein you can specify the desired timeout in seconds.

When you want to cover a broad range of requests for this, e.g. all pages in folder /admin or something, then the best place to do this is to create a Filter which is mapped on the FacesServlet which does roughly the following job:

@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws ServletException, IOException {
    HttpServletRequest request = (HttpServletRequest) req;
    HttpSession session = request.getSession();

    if (request.getRequestURI().startsWith("/admin/")) {
        session.setMaxInactiveInterval(60 * 5); // 5 minutes.
    } else {
        session.setMaxInactiveInterval(60 * 240); // 240 minutes.
    }

    chain.doFilter(req, res);
}

In a JSF managed bean the session is available by ExternalContext#getSession():

HttpSession session = (HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession();
// ...

Or when you're already on JSF 2.1, then you can also use the new ExternalContext#setSessionMaxInactiveInterval() which delegates to exactly that method.

Automatically - no.

You'd have to:

• store all sessions in a Set. Do this in a HttpSessionListener when they are created.
• at the given time (using quartz for example) .invalidate() them