Here was the solution I implemented:
I specified the use of the org.apache.catalina.session.StandardManager in my context.xml file, which allows me to set an attribute for maxActiveSessions.
http://tomcat.apache.org/tomcat-6.0-doc/config/manager.html I then use the http jmx interface for tomcat management to change the value at will for any specific web app on the server:
http://tomcat.apache.org/tomcat-6.0-doc/manager-howto.html I wrote a JSP/servlet that will allow me to specify a server, username, and password, connect to the jmxproxy page, scrape the page for all of the web applications and associated attributes, then display them and provide forms to modify each attribute.
The only thing I still haven't resolved, which is very frustrating, is that the maxInactiveInterval attribute in the StandardManager has no effect when entered in the context.xml file. The session-timeout element in the web.xml file is what tomcat will use. The problem is that the value in web.xml is in minutes, with the lowest possible value of 1. I want to invalidate my sessions immediately after the request, so 1 minute is too long. The only way I can find to do this is a) programamtticaly through the HttpSession object which accepts a value in seconds and overrides the web.xml value, or b) through the JMX manager application that I just wrote.
Cheers