The maximum in-memory session count number has different meanings, depending on session support configuration:
General memory requirements for the hardware system, and the usage characteristics of the e-business site, determines the optimum value.
Overflow in non-persistent sessions
By default, the number of sessions maintained in memory is specified by the maximum in-memory session count. If you do not wish to place a limit on the number of sessions maintained in memory and allow overflow, select Allow overflow.
Allowing an unlimited amount of sessions can potentially exhaust system memory and even allow for system sabotage. Someone could write a malicious program that continually hits your site and creates sessions, but ignores any cookies or encoded URLs and never utilizes the same session from one HTTP request to the next.
When overflow is disallowed, the Session Manager still returns a session with the HttpServletRequest's getSession(true) method if the memory limit has currently been reached, but it would be an invalid session that is not saved.
With the WebSphere Application Server - Express extension to HttpSession, com.ibm.websphere.servlet.session.IBMSession, an isOverflow() method returns true if the session is an invalid session. An application could check this and react accordingly.