express-session: Don't save uninitialized sessions

This should avoid frivolous session records, such as when the user
gets a 404 (unless login was required to see the 404).
pull/5348/head
Richard Hansen 2021-12-18 17:51:17 -05:00
parent 7255dd7ef0
commit ec10700dff
2 changed files with 4 additions and 1 deletions

View File

@ -3,6 +3,9 @@
### Notable enhancements and fixes
* Improvements to login session management:
* `express_sid` cookies and `sessionstorage:*` database records are no longer
created unless `requireAuthentication` is `true` (or a plugin causes them to
be created).
* `sessionstorage:*` database records are automatically deleted when the login
session expires (with some exceptions that will be fixed in the future).
* Requests for static content (e.g., `/robots.txt`) and special pages (e.g.,

View File

@ -181,7 +181,7 @@ exports.restartServer = async () => {
secret: settings.sessionKey,
store: sessionStore,
resave: false,
saveUninitialized: true,
saveUninitialized: false,
// Set the cookie name to a javascript identifier compatible string. Makes code handling it
// cleaner :)
name: 'express_sid',