Say you're storing 10000 sessions (meaning 10000 simultaneously active users, which is a LOT).
SessionID is a
String, maybe 20 long.
UserID is a String, maybe 10 long?
That's 60 bytes (using 2 bytes per character as
Java does) times 10000 or 600 kilobytes.
This data is already in the string constant pool for the JVM so you don't loose that amount of memory
Remains the memory for a single HashMap with 10k entries which is just over 40KB (10K times 2 times 2 bytes plus a bit for the HashMap itself).
Time to look up whether a userID exists in the Map is a very short, and can be regarded as being zero if you do any database or network operations in your application.
Is there impact? of course, every line of code you write that's not optimised away by the compiler or dead code will have an impact.
Will it be measurable? Not likely, unless the rest of your code is trivial.
Will you likely loose this much memory? No. As I said 10K users is extreme, unless it's an intranet application for a major government agency that everyone there will use all day long constantly you're unlikely to have more than a few hundred simultaneous users for even a large application.
And if you do,
you should be clustering your app anyway and use far more elaborate (and expensive in resources) schemes for security like EJBs.