Since the servlet API no longer directly lets you get to other sessions,
one way this could be done would be to make a custom listener that implements the HttpSessionListener, and register it in the web.xml, so as a session is created in the system, your listener would store a reference to that session into a hash table (within the servlet context attributes?) possibly keyed by session identifier. It is not really cluster friendly, or reload of webapp friendly and
you should remove the session from your map in the sessionDestroyed() of the listener.
Then your admin page can consume this map, and invoke invalidate() on selected sessions.