Not sure if this is a good idea but definitely worked for us.
Create a data structure to store user information and add it to session during logon.
Add refereneces of session objects to a somekind of list (Arraylist) and store this list in Application object.
You now have access to all session objects and can call session.invalidate() on the selected session isntance and delete from list.
Make sure you delete the session instance from the list when the session times out using HttpSessionBindingListener