diff --git a/CHANGELOG.md b/CHANGELOG.md
index 79f741d7d..58daed814 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,9 @@
 ### Notable enhancements and fixes
 
 * Improvements to login session management:
+  * `express_sid` cookies and `sessionstorage:*` database records are no longer
+    created unless `requireAuthentication` is `true` (or a plugin causes them to
+    be created).
   * `sessionstorage:*` database records are automatically deleted when the login
     session expires (with some exceptions that will be fixed in the future).
   * Requests for static content (e.g., `/robots.txt`) and special pages (e.g.,
diff --git a/src/node/hooks/express.js b/src/node/hooks/express.js
index 43b1d986a..18f026463 100644
--- a/src/node/hooks/express.js
+++ b/src/node/hooks/express.js
@@ -181,7 +181,7 @@ exports.restartServer = async () => {
     secret: settings.sessionKey,
     store: sessionStore,
     resave: false,
-    saveUninitialized: true,
+    saveUninitialized: false,
     // Set the cookie name to a javascript identifier compatible string. Makes code handling it
     // cleaner :)
     name: 'express_sid',