How to detect context path on virtual server

Hello we have deployed on 5.2021.9 app portal to contextroot /portal
Also, we have configured virtual server for hostname www.portal.xx which has set Default Web Module to our portal app.

Everything works as expected, if we open www.portal.xx we get root of the app, index.xhtml.
Same as we have if we open it directly on its contextroot www.portal.xx/portal/index.xhtml.

Now, we have login on our site, that hides content of portal behind /secure path.
After succesfull login, if user visits page over virtual server, he is redirected on virtual server path www.portal.xx/secure/main.xthml (real path /portal/secure/main.xthm).

Our login redirection looks like this

public void execute() throws IOException {
        switch (processAuthentication()) {
            case SEND_CONTINUE:
            case SEND_FAILURE:
                facesContext.addMessage(null, new FacesMessage(FacesMessage.SEVERITY_ERROR, "Invalid Credentials", null));
            case SUCCESS:
                getExternalContext().redirect(getExternalContext().getRequestContextPath() + "/secure/main.xhtml");
                facesContext.addMessage(null, new FacesMessage(FacesMessage.SEVERITY_ERROR, "Invalid Credentials", null));

Issue we have is, if user keeps page www.portal.xx/secure/main.xthml open long enough and his session times out, after refresh (or some other action) he is redirected to login page (index.xhtml).
But after successful re-login, he is not redirected by code to virtual context path www.portal.xx/secure/main.xthml, but to the real one www.portal.xx/portal/secure/main.xthml

How to detect in redirection, that we are running on virtual server, not on the real context path?