I notice that even as an anonymous user, a shiro session is created (and inserted into my db in my case) at my first access to a web page. After a successful login, the session record is simply updated with the appropriate attributes.
Now i tried 'stress-testing' the main page url with :
curl -s "http://myapp.com?[1-1000]"
And my fear came true as i count the created session is as much as the loop.
So the question here is, is there anyway i can avoid having a session creation flood by a web crawler or a spammer ?
This works for me, where allowing session creation only upon login, yayy :
/login = authc
/logout = noSessionCreation, logout
/** = noSessionCreation, anon