Add this to the web.xml:
<session-config>
<session-timeout>xxx</session-timeout>
</session-config>
where xxx is a value in minutes (I looked in several places and didn't see any that said that '0' means indefinite). This applies to all sessions. As far as I know there is no way to configure sessions from a certain IP addresses.