When multiple users access the Moqui server, the server generates a separate session for each user, right? When you talk about multiple API calls, whether the Moqui server treats them as coming from one user or multiple users is not related to Moqui itself. If you want the server to create only one session for multiple API calls, you need to first make a request to the server to obtain the jsessionid, and then include this jsessionid with all subsequent API calls.
We’ve been using Astro and/or Quasar in front of Moqui and talk to the ERP with REST via RTK for SSR or PWA but we are using OAuth. We do get a lot of anonymous visitor records in the log but we have a cronjob clear that out.
I like the idea of session cleanup. Although You don’t need necessarily a cronjob for that, moqui itself could clean them with a scheduled job instead.
I think whether or not fixed, we do have an issue that should be addressed. Simply flood the server with requests without a JSESSIONID and observe your /runtime/sessions directory filling up. If you combine this with long lived sessions (say a day or a week) then you might have a serious issue on your hands. We need a way to ignore such requests or limit them past a certain number or using some other common solution. Furthermore, even if you do build a massive set of sessions, I think some kind of directory structure might ease the pressure on the system. Say for example runtime/sessions/2025/04/17/*