express-session: Don't save uninitialized sessions
This should avoid frivolous session records, such as when the user gets a 404 (unless login was required to see the 404).pull/5348/head
Richard Hansen
parent
7255dd7ef0
commit
ec10700dff
|
|
@ -3,6 +3,9 @@
|
||||||
### Notable enhancements and fixes
|
### Notable enhancements and fixes
|
||||||
|
|
||||||
* Improvements to login session management:
|
* Improvements to login session management:
|
||||||
|
* `express_sid` cookies and `sessionstorage:*` database records are no longer
|
||||||
|
created unless `requireAuthentication` is `true` (or a plugin causes them to
|
||||||
|
be created).
|
||||||
* `sessionstorage:*` database records are automatically deleted when the login
|
* `sessionstorage:*` database records are automatically deleted when the login
|
||||||
session expires (with some exceptions that will be fixed in the future).
|
session expires (with some exceptions that will be fixed in the future).
|
||||||
* Requests for static content (e.g., `/robots.txt`) and special pages (e.g.,
|
* Requests for static content (e.g., `/robots.txt`) and special pages (e.g.,
|
||||||
|
|
|
||||||
|
|
@ -181,7 +181,7 @@ exports.restartServer = async () => {
|
||||||
secret: settings.sessionKey,
|
secret: settings.sessionKey,
|
||||||
store: sessionStore,
|
store: sessionStore,
|
||||||
resave: false,
|
resave: false,
|
||||||
saveUninitialized: true,
|
saveUninitialized: false,
|
||||||
// Set the cookie name to a javascript identifier compatible string. Makes code handling it
|
// Set the cookie name to a javascript identifier compatible string. Makes code handling it
|
||||||
// cleaner :)
|
// cleaner :)
|
||||||
name: 'express_sid',
|
name: 'express_sid',
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue