在会话期满的那一刻，不可能发送重定向.也就是说，客户端当时没有发送任何HTTP请求，您可以随后通过重定向进行响应.

It's not possible to send a redirect at exactly the moment when the session is expired. The client has namely not sent any HTTP request at that moment which you could then respond with a redirect.

您应该只保留现有的身份验证机制，当用户不再登录时，该机制将重定向到登录页面.您最多可以通过添加以下检查来改进它:检查用户是否已被重定向到登录页面，因为会话已过期，或者仅仅是因为他从未登录过(例如，这是一个新请求) ).

You should just keep your existing authentication mechanism which redirects to the login page when the user is not logged-in anymore. You can at best improve it by adding a check if the user is been redirected to the login page because the session has been expired, or just because he has never logged in before (i.e. it's a fresh new request).

如果 HttpServletRequest#isRequestedSessionIdValid() 返回false(这意味着会话具有已在服务器端过期).您可以在检查登录用户的同一过滤器中执行此操作(您已经拥有一个，对吗?或者您正在使用容器管理的身份验证?).

You can check for that by if HttpServletRequest#getRequestedSessionId() doesn't return null (which means that the client has sent a session cookie and thus assumes that the session is still valid) and HttpServletRequest#isRequestedSessionIdValid() returns false (which means that the session has been expired at the server side). You can do that in the very same filter where you're checking for the logged-in user (you do already have one, right? or are you using container managed authentication?).

User user = (User) session.getAttribute("user");

if (user == null) {
    String loginURL = request.getContextPath() + "/login.jsf";
    if (request.getRequestedSessionId() != null && !request.isRequestedSessionIdValid()) {
        response.sendRedirect(loginURL + "?expired=true");
    } else {
        response.sendRedirect(loginURL);
    }
} else {
    chain.doFilter(request, response);
}

然后在login.xhtml页面中进行检查

<h:panelGroup rendered="#{param.expired}">
    <p>You have been redirected to the login page, because your session was expired.</p>
</h:panelGroup>

您的相位监听器方法毫无意义.实际上，它会在每个请求上发送重定向，从而导致其在无限循环中运行.恢复视图阶段与会话到期完全无关.

Your phase listener approach makes by the way no sense. It indeed sends a redirect on every single request causing it to run in an infinite loop. The restore view phase has absolutely nothing to do with the session expiration.