I'm not sure I understand when you want to invalidate the session:
1. During processing of a request from the user?
2. After a period of inactivity by the user?
3. Independent of what the user is doing?
If 1 or 2 - the servlet API will take care of it
If 3 then as David said you will have to track sessions yourself - this opens up a whole can of worms because the servlet container will also be trying to manage the session objects, so be careful.