Simple problem, but with bad consequences. It amounts to a security vulnerability: an attacker can endlessly cause sessions to be created simply by ignoring the session cookie each request. The consequences of such an attack will depend on whether the session engine is file-, database-, process-memory-, or cache-daemon-based. An application should therefore be able to control whether and when new sessions are created.
What could be an acceptable solution? I can think of:
Create a new option 'auto_create_sessions: 0|1', and if it is set to false, don't have the session created automatically but force the user to call 'create_session' manually.
Create a 'session_creation' hook that can short-circuit the creation of the session if anything bad is detected.