You must call session.forget() sometime during the request for any request in which you don't need the session. Of course, that means if you call session.forget() in a model, it will affect all requests, because models are run on all requests. However, Auth actions require the session, as well as pages with forms (the session is used to store the CSRF token) -- so you will need some logic to ensure the session is not disabled for all requests.
Also, note that session.forget() won't necessarily lead to a big performance boost because when the session remains unchanged during a request, it is not saved back out to disk (or the db) anyway. The only savings will be from the fact that the session will not need to determine whether it has changed (which involves a pickle and hash operation).
Anthony