seraph (not sure about the version. this is with JIRA 2.5.2) always creates a session, even when this isn't necessary.

I've got a page that I've added to a JIRA install. this page doesn't require any special permissions or roles. I expect this
page to get lots of hits, and I further expect it to change fairly infrequently, making it a perfect candidate for caching.
I'm also using resin, which has some nice caching features built in. However, any request that acquires a session is
considered by resin to be uncacheable, so this nice plan falls apart.

the basic problem is that seraph's SecurityFilter calls getUser() on a DefaultAuthenticator. there are several calls to
request.getSession(), which creates a session if one didn't previously exist.

better would be to be a little more careful, and use getSession(false) in the cases where you don't absolutely need to
create a session. at some point, for some pages, you'll need to create a session (to store the saved URL, for example)
but for other pages there's never any use for the session, so one shouldn't be created.