The xmlhttp object will auto follow a 302 response automatically, you can check this using firebug/fiddler, your first response will be a 302 redirect and the xmlhttp will immediately request the location contained in the 302 response resulting in your login page being responded.
There are a few ways you can avoid the above scenario.
1) Add a meta refresh tag that takes the user to a signout action method and redirects them to the login page a few seconds before the session is due to time out (best option for security imo)
2) A minute or so before timeout show the user a dialog which tells them they are about to be signed out. If they click "stay signed in" within the minute make a quick ajax call which will keep the session valid for the next x minutes, if the user does not respond simply issue a client redirect to your signout action.
3) the ugly solution could be to check the ajax response to see if it is the login page (test for a certain id or similar), if so do a full page client redirect to your signout action....not nice but will work