Major Description
After some debugging and reading, I discovered that our HTTP sessions by default have a timeout of 0, which means they never expire. Why this is the default I'm not sure but we should fix this, because if you create enough sessions, you will now run out of memory. Two solutions are possible:
1) Use the development version of the Felix HTTP service, which does have support for configuring the timeout. Actually the documentation already mentions this, it just fails to mention that the latest release does not yet support that option.
2) Explicitly use setMaxInactiveInterval(secs) on each session we create. Provided we can hook into each location where sessions are created, this should work too, and won't require us upgrading to some snapshot version.