Canvas doesn’t create any sessions, users create sessions when they send a request for a TM1 resource and login via Canvas. What may be an issue is that the sessions aren’t being closed, what you should do is have an adequate
HTTPSessionTimeoutMinutes setting so that if the browser is closed without an explicit logout the sessions are removed.
It works the same way in the browser, if you execute a REST API call, something like:
https://localhost:8881/api/v1/Dimensions('Account') and then close the browser you will see the session remains until they timeout.
How are you configuring the maximum sessions? Through Max Connections? I would recommend having a value larger than 2.