The only limit is the amount of available heap space.
To monitor the sessions, use the mbean:
where 'xxx' is the binding host name, which is 'localhost' by default' and 'yyy' is the application's context. Thus there is a collection of sessions for each web applications. Interesting attributes include expiredSessions, sessionCounter, maxActiveSessions, and others.