This can potentially create resource issues (for instance, public JIRA instances can have problems caused by a large number of sessions created by bots crawling the site).

If it's possible that Stash could be deployed in similar circumstances (ie, crawlable by unauthenticated users) it might be wise to head off trouble by not creating sessions for unauthenticated connections, or at least taking steps to minimise the impact of short-lived sessions.

If Stash is only ever intended to be used by authenticated users, there seems little point worrying about this (unless a bot repeatedly hitting the login page could still generate sessions and potentially cause a DOS)