Bug 21468 reveals the need to control Http session handling

# The maximum number of active sessions that will be created by this Manager,
# or -1 (the default) for no limit.

# The initial maximum time interval, in seconds, between client requests before a session is invalidated.
# A negative value will result in sessions never timing out.
# If the attribute is not provided, a default of 1800 seconds is used.