Write a HttpSessionListener and unconditionally throw an exception from the sessionCreated() method and kill the session. Like this:
public class IronFistedHttpSessionListener
public void sessionCreated(HttpSessionEvent se)
throw new IllegalStateException("Session use is not permitted.");
public void sessionDestroyed(HttpSessionEvent se)
// Do nothing
Note that this may cause parts of your code to start to fail. Now, it will be your job to fix the parts of your code that are triggering sessions to be created.
For example, if you don't explicitly state session="false" in all of your JSPs, a session will be created by default. So, you'll need to edit all the JSPs you have that don't state session="false" so they won't create sessions.
You may have other places in your code where sessions are created due to careless code. Fix those and your HttpSessionListener should never be invoked.