Why are you using request.getSession(false)? Instead why not use the overloaded method request.getSession() which:
Returns the current session associated with this request, or if the request does not have a session, creates one.
Here's the API reference:
I'm not using request.getSession() because in the case of my logout page invalidate de session, the filter would create a new one and the user would stay logged in.
in the case of my logout page invalidate de session, the filter would create a new one and the user would stay logged in.
How would that happen? Your filter will be invoked before the control is forwarded to the logout page. The logout page can then use this session(created in the filter) to invoke the invalidate method.