If this is a feature of the application, then I would use a HttpSessionListener to count/register all the sessions created/removed into a context attribute, say a Map. And now, any
servlet (better protected by some security features) can access the context attribute and count the number of active session object there.
Would there be any better strategy?