Spookily, I just looked up that very same thing in the specs.
I'm still a little unsure...
If setting <session-timeout> in DD, the spec says "If the timeout is 0 or less, the container ensures the default behaviour of sessions is never to time out. If this element is not specified, the container must set its default timeout period."
However, for setting it programatically, it just says "By definition, if the timeout period for a session is set to -1, the session will never expire." No mention of 0. HFSJ p247 has an example where it sets it to 0 and says "causing the session to timeout immediately".