Updated doc on invalid session detection.

Invalid session URL must typically be omitted from the filter chain to prevent an infinite loop.

samples/tutorial/src/main/webapp/WEB-INF/applicationContext-security.xml

@@ -33,7 +33,7 @@
         <x509 />
 -->
         <!-- Uncomment to limit the number of sessions a user can have -->
-        <session-management>
+        <session-management invalid-session-url="/something">
             <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
         </session-management>