Anyway, after much digging I finally nailed it down to a component that was being used to render email. We use the following method to instantiate a component and then call generateResponse().contentString() to get it's html content:
public static WOComponent instantiatePage(String pageName) {
// Create a context from a fake request
WORequest request = new WORequest("GET", "", "HTTP/1.1", null, null, null);
WOContext context = WOApplication.application().createContextForRequest(request);
return WOApplication.application().pageWithName(pageName, context);
}
The problem was that one of the components used as an email touched the session. I believe because we are using a fake context this results in a new session being created. I'm not sure why those extra sessions don't just expire like normal ones ? But anyway, problem solved. I can sleep again.
Simon