For a general-purpose webapp, the best bet is to hook a session listener into a central monitoring point. Which could be as simple as an application-scope bean containing a hashtable.
For a webapp specifically intended to control Tomcat and only Tomcat,
you should look at the Tomcat JMX/MEJB properties to see what's offered.
Only as a last resort should you hook into internal Tomcat code. Anything that dependent on the kitty's innards is probably going to require extensive rework every time Tomcat goes into a new major release.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.