express-session: Don't save uninitialized sessions

This should avoid frivolous session records, such as when the user gets a 404 (unless login was required to see the 404).
2025-06-21 13:40:29 -04:00 · 2021-12-18 17:51:17 -05:00 · 2021-12-18 17:51:17 -05:00 · ec10700dff
commit ec10700dff
parent 7255dd7ef0
2 changed files with 4 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -3,6 +3,9 @@
 ### Notable enhancements and fixes

 * Improvements to login session management:
+  * `express_sid` cookies and `sessionstorage:*` database records are no longer
+    created unless `requireAuthentication` is `true` (or a plugin causes them to
+    be created).
  * `sessionstorage:*` database records are automatically deleted when the login
    session expires (with some exceptions that will be fixed in the future).
  * Requests for static content (e.g., `/robots.txt`) and special pages (e.g.,