On Front-end In-Portal don't create empty session (records in UserSession and SessionData tables) until there is need to write something into it (e.g. user_id of logged-in user).
Why we don't have same type protection against too much unused sessions being created in admin console too.
For example I don't have ability to enable cookies and I'm just refreshing admin console login screen. New session will be created each time I do so.