When tomcat receives a POST request on a session that has timedout, it will forward to the form based login page (form-login-page). If this forward fails for some reason (an error in the login page for instance), tomcat will return an empty HTTP response, without any error code. The tomcat log says "Unexpected error forwarding to login page" and contains the detailed stacktrace, but i would expect the error to show up in the browser as well (at least a 500 status)
Thanks for the report. This has been fixed in trunk (for Tomcat 7) and proposed for back port to 6.0.x and 5.5.x
This has been fixed in 6.0.x and will be included in 6.0.21 onwards.
Fixed in 5.5, will be in 5.5.29 onwards. Thank you.