Upon further investigation it seems that a session is started by the CAccessControlFilter->preFilter method.
Now, what I find interesting is that even with no access rules set, or with access filters not dependent on users, this method will do an Yii::app()->getUser() which in turn starts a session to see if there is a session user present.
I think any reference to the user object in the preFilter method should only be made conditionally IF there is a need to check access rules against a user.
I am against starting sessions for basically any page for no reason - not only for performance reasons but also because this affects upstream caching and CDNs…