I never trust the session.isNew or or getSession(true). Any hit to a JSP before this
test is made will skew the results.
Rather, I test for the existence of an object bound to session.
Upon a successful login, bind an object to session ("userBean" for instance).
Then, for each request requiring a valid login, test to see if session.getAttribute("userBean") returns null. If so, redirect to the login page, if not, you know they are currently logged in.
BTW: filters are great for this.