Create a Filter, map it to every request. Make sure the Filter comes 1st in filter-mapping. Override the HttpServletRequest methods getSession() and getSession(boolean) to throw an Exception, return a fake session object, etc.
For example, you might want to create a fake session object that throws an Exception on its methods if you suspect a 3rd party library creates sessions but doesn't use them, or if you don't feel like updating every .jsp to not automatically create sessions. Use the new ServletRequest object as the parameter to chain.doFilter().
[Message sent by forum member 'jleech' (jleech)]
http://forums.java.net/jive/thread.jspa?messageID=352373