This may not be the answer your looking for, but at least it will bump your thread back up for a second chance. I found this fragment that illustrates how to set the session-timeout for an individual web application as a setting from web.xml (in the WEB-INF dir of the app's jar file). This fragment is from JBoss 2.4, but the new DTD (in %jboss_dist&\docs\dtd\web-app_2_3.dtd) shows that the setting is still available.
?xml version="1.0" encoding="ISO-8859-1"?>
<!-- Default login configuration uses form-based authentication -->
The dtd explains the setting like this:
The session-timeout element defines the default session timeout interval for all sessions created in this web application. The specified timeout must be expressed in a whole number of minutes. If the timeout is 0 or less, the container ensures the default behaviour of sessions is never to time out.
Good luck, let us know if this helps.