I would say that you are doing the correct thing already with a session-per-request pattern. This is the recommended approach and sessions are cheap enough to create. You don't say what kind of performance problems you are experiencing but I would expect that there are other (and better) ways to solve them.
An Application-scoped session will not work since a session is not thread-safe.
A Http-Session-scoped session can be used, but only for a limited time. For example, when going through a wizard-like process that is expected to be completed in a relatively short time-frame (session-per-conversation pattern). Keeping the session around longer is likely to result in problems with stale data in the session cache.
thanks for your explanations. I will just stay with the session-per-request pattern.