Session creation triggered by XSS/XSRF filter

I was investigating a problem and happened to notice that our XSS/XSRF  
filters are triggering the creation of Session objects. I then noticed  
that they are creating a session when I hit an arbitrary url (I'm  
expecting a 404). This is plain wrong, IMO. This was on 2.1.4, but I  
would assume that 2.2 has the same behavior.

http-0.0.0.0-8080-1@10 daemon, priority=5, in group 'main', status:  
'RUNNING'
          at  
org
.apache
.catalina.session.StandardManager.createSession(StandardManager.java:
284)
          at org.apache.catalina.connector.Request.doGetSession(Request.java:
2,312)
          at org.apache.catalina.connector.Request.getSession(Request.java:
2,075)
          at  
org
.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:
833)
          at  
org
.apache
.geronimo.console.filter.XSRFHandler.isInvalidSession(XSRFHandler.java:
79)
          at  
org
.apache
.geronimo.console.filter.XSSXSRFFilter.doFilter(XSSXSRFFilter.java:109)
          at  
org
.apache
.catalina
.core
.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:
235)
          at  
org
.apache
.catalina
.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at  
org
.apache
.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:
233)
          at  
org
.apache
.catalina.core.StandardContextValve.invoke(StandardContextValve.java:
191)
          at  
org
.apache
.geronimo
.tomcat.valve.DefaultSubjectValve.invoke(DefaultSubjectValve.java:56)
          at org.apache.geronimo.tomcat.GeronimoStandardContext
$SystemMethodValve.invoke(GeronimoStandardContext.java:406)
          at  
org
.apache
.geronimo
.tomcat
.valve.GeronimoBeforeAfterValve.invoke(GeronimoBeforeAfterValve.java:47)
          at  
org
.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:
128)
          at  
org
.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:
102)
          at  
org
.apache
.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
          at  
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:
568)
          at  
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
286)
          at  
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:
845)
          at org.apache.coyote.http11.Http11Protocol
$Http11ConnectionHandler.process(Http11Protocol.java:583)
          at org.apache.tomcat.util.net.JIoEndpoint
$Worker.run(JIoEndpoint.java:447)
          at java.lang.Thread.run(Thread.java:613)

--kevan