One popular pattern used in this kind of scenario is the "Open session in view" pattern. It uses a ServletFilter to handle the opening and closing of the session for each request. Typically, the transaction is also handled here. Starting and committing a transaction programmatically in the DAO methods (such as your findAllLoggedInUsers) is considered an anti-pattern (since now that piece of code can't be reused in a different use case that may need a transaction that spans multiple method calls).
In any case, there is a wiki page on the JBOSS community describing the Open-session-in-view pattern:
https://community.jboss.org/wiki/OpenSessionInViewIt's a bit old and some details may be different in more recent Hibernate versions, but the overall concept should be the same.