You may want to first read about the difference between a session and a cookie.
There are two session or cookie management levels. You can set the session or cookie management settings at the application server level, or at the application level. The settings at the application level will take precedence over the settings at the application server level.
By default, the Maximum in-memory session count will be set to 1000 sessions, and Allow overflow is checked. In this configuration, the maximum number of simultaneous sessions is 1000, however, the limit can exceeded by the allow overflow selection.