I think that currently grails is calling: http://java.sun.com/products/servlet/2.3/javadoc/javax/servlet/http/HttpServletRequest.html#getSession() on every request which will automatically create an HttpSession if none is associated with the request. This is a problem for stateless apps like web services which don't require HttpSession access. It is a trivial problem until you have a webservice which is accessed many times a second. With each new request creating a new HttpSession it doesn't take long to cause problems. A workaround is to reduce the session timeout of the App to 1 min, but that stops you from combining a webservice with a GUI in one context. I propose that the base Controller checks for a static property (or properties) that if present would mean a call to: http://java.sun.com/products/servlet/2.3/javadoc/javax/servlet/http/HttpServletRequest.html#getSession(boolean) passing false as the argument. This would then return null if no session is associated with the request, without creating a new HttpSession. In an ideal world, it would be possible to turn off HttpSession creation for a whole Controller (all actions) and also turn them off for a particular set of actions.