If you are not familiar with how sessions are configured in WebSphere, check out our getting started page.
By default, when a new application server is created, sessions are managed at the application server level, a maximum of 1000 sessions are allowed per application server, and allow overflow is enabled, and excessive sessions are not stored in a database or in memory.
With these configurations, since allow overflow is enabled, after 1000 sessions are stored in memory, a second session memory table is constructed, and all of the additional sessions are stored in the second memory table. The sessions are stored in the application servers heap space (memory). If all of the heap space is used, the application server will experience an out of memory condition, which may cause the application server to heap dump. As an example, let's say an application server is configured with 256 MB of heap memory. When 1000 sessions are stored in the heap, perhaps this would use up just under half of the heap space.
With allow overflow enabled, additional sessions can be placed in the heap space, which could eventually use up all of the available heap space, causing the dreaded out of memory situation.
This may be even more problematic if you've enabled the override session management options for multiple applications in an application server. For example, let's say you have 3 applications deployed to your application server, each application has enabled the override session management option, and each application is configured to allow 1000 maximum sessions with allow overflow enabled. In this scenario, you are allowed 3000 maximum sessions, plus overflow, which could cause the application server to run out of memory and heap dump.
You may want to consider creating a template application server that has allow overflow disabled or that is configured to store excessive sessions in a database or on a different application server, so that when new application servers are created, they will be configured in a way that helps to prevent the application server from having an out of memory situation.