This is just a snippet of my entire configuration, but this will check if the session has expired ONLY for authenticated users. When you use .maximumSessions(1) you are dealing with concurrent user management. That's not what you need.
In the following snippet, I check all incoming requests if they are authenticated .anyRequest().authenticated(). If the request is from an authenticated user (I don't check for roles) AND the session has timed out .sessionManagement().invalidSessionUrl(), redirect them back to the index page which has the login form.
@Configuration
@EnableWebSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().authenticated()
.and()
.sessionManagement().invalidSessionUrl("/?sessionexpired=true");
}
}