Hello,
there is no such code specific to the session timeout. When the session timeout is reached, the web application server will simply have "forgotten" who the user is, e.g. any authentication data contained in the session is lost. The next time the user navigates to a page, this will be noticed by the Surf framework and the user will be redirected to the login page as any unauthenticated user would.
There is no way to determine reliably if the user is redirected to the login page because of a timed-out session. Sure, the client will likely submit a session cookie, but this could also be faked or be a session cookie from the last time the user accessed the page months ago.
There are various places where an authentication check is performed and a redirect to the login page or an error might occur. The primary redirect to login-page is handled in the class org.springframework.extensions.surf.mvc.PageView, but any authentication error in any Share web script (or even client-side triggered AJAX requests) might also redirect to the root context of the Share web application with the cookie already gone. I.e. if an AJAX call fails due to session timeout, the client-side handling of the response will reload the page and this reload should already be lackig the now obsolete session cookie, preventing you from identifying this reload as a "session has timed out" case.
Regards
Axel