With regards to "sessions" you have to clearly distinguish what kind of session you are referring to.
A user can have many HTTP sessions associated with them - a session is established whenever any HTTP client accesses the backend (potentially indirectly via the Share or another frontend). Since a user can use multiple tools / clients or have multiple sessions open in a browser, they can have any number of sessions
A CMIS session is a purely client-side concept. There can be as many as the client application instantiates / uses, and Alfresco does not limit their number. A CMIS session may use a single HTTP session provided the client has been initialised to use HTTP cookies for HTTP session management, but can technically create a new HTTP session with each new request to the Alfresco server
Threads are neither created per HTTP session nor CMIS session. Threads are created by the application server to deal with any incomming requests. Typically, there is a configured maximum thread count, which limits the number of requests that can be processed at the same time. The number of threads does not limit the number of sessions that can be established for any user / client, apart from "soft-limits" due to performance degredation.
Within Alfresco, there is also the concept of a "ticket" session, which is an HTTP session-independent means of encapsulating an established authentication context and reusing it, potentially across multiple applications. Since sometime in the Alfresco 4.x release history, Alfresco will default to having only one active ticket session per user, and reusing the same ticket internally independent of which client / interface is used to access it. This is a configurable behaviour, and may be changed if necessary - though I believe the new default was intended to address some performance / security issues.
So to answer your question:
Downloading 50 files at the same time (provided the client supports true, multi-threaded download) will make use of 50 of the available threads in the application server. If there are not enough available threads and the server is allowed to spawn more threads, it may spawn new threads. The number of CMIS / HTTP sessions has no impact on this.
An admin user can have many HTTP sessions, many CMIS sessions, and by default only one "authentication ticket" session
Any user can have many HTTP sessions, many CMIS sessions, and by default only one "authentication ticket" session