Too many sessions are created when accessing the login page?

i am using spring framework,apache,tomcat and开发者_开发问答 the login page is handled with spring security and i have an issue that every first time request to the login page is generating a new session for the user, i know it's the default behaviour, when you access the login page, a new session is created for you, then what if a large load made on the login page, too many users are just viewing the login page without doing anything, so too many un-used sessions are created here. what do you guys think of just an issue, i know it's rare, but it may occur, how to deal with it ?

I don't think thats rare. One possible solute could be to set the session timeout to a minimum. For example 5 minutes. Further you can write a filter to increase the session timeout if a session already exists for the user. So normal user will have a session timeout of 30 minutes and users only visit one side have a timeout of 5 minutes.

Here is a filter that dose the trick:

public void doFilter(ServletRequest request, ServletResponse response,
        FilterChain chain) throws IOException, ServletException {

    HttpServletRequest httpRequest = (HttpServletRequest)request;

    // The false is important, otherwise a new session will be created.
    HttpSession session = httpRequest.getSession(false);

    if (session == null) {
        chain.doFilter(request, response);
        return;
    }

    session.setMaxInactiveInterval(30 * 60);
    chain.doFilter(request, response);
}

Another good advice is to filter crawlers like the google bot. "Bot Detection" is a good keyword to look for.