Description
Requests authenticating to Crowd's REST API will create a session. If clients use the same session cookie for subsequent requests then they can avoid reauthenticating, which may save time. However, as the only value of these sessions is for performance, there's no reason for the sessions to be long lived.
Reduce the timeout to a minute. After that long, the cost of reauthenticating is negligible.
At the same time, remove the code to delete Crowd sessions when the HttpSessions expire. They'll expire around the same time, which is good enough for them to provide indicative state.