From ec10700dff8c0c77eca441789a0f944e53f4375d Mon Sep 17 00:00:00 2001
From: Richard Hansen <rhansen@rhansen.org>
Date: Sat, 18 Dec 2021 17:51:17 -0500
Subject: [PATCH] express-session: Don't save uninitialized sessions

This should avoid frivolous session records, such as when the user
gets a 404 (unless login was required to see the 404).
---
 CHANGELOG.md              | 3 +++
 src/node/hooks/express.js | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 79f741d7d..58daed814 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,9 @@
 ### Notable enhancements and fixes
 
 * Improvements to login session management:
+  * `express_sid` cookies and `sessionstorage:*` database records are no longer
+    created unless `requireAuthentication` is `true` (or a plugin causes them to
+    be created).
   * `sessionstorage:*` database records are automatically deleted when the login
     session expires (with some exceptions that will be fixed in the future).
   * Requests for static content (e.g., `/robots.txt`) and special pages (e.g.,
diff --git a/src/node/hooks/express.js b/src/node/hooks/express.js
index 43b1d986a..18f026463 100644
--- a/src/node/hooks/express.js
+++ b/src/node/hooks/express.js
@@ -181,7 +181,7 @@ exports.restartServer = async () => {
     secret: settings.sessionKey,
     store: sessionStore,
     resave: false,
-    saveUninitialized: true,
+    saveUninitialized: false,
     // Set the cookie name to a javascript identifier compatible string. Makes code handling it
     // cleaner :)
     name: 'express_sid',