express-session: Don't save uninitialized sessions

This should avoid frivolous session records, such as when the user gets a 404 (unless login was required to see the 404).
2021-12-18 17:51:17 -05:00 · 2021-12-18 17:51:17 -05:00 · ec10700dff
parent 7255dd7ef0
commit ec10700dff
2 changed files with 4 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -3,6 +3,9 @@
 ### Notable enhancements and fixes

 * Improvements to login session management:
+  * `express_sid` cookies and `sessionstorage:*` database records are no longer
+    created unless `requireAuthentication` is `true` (or a plugin causes them to
+    be created).
  * `sessionstorage:*` database records are automatically deleted when the login
    session expires (with some exceptions that will be fixed in the future).
  * Requests for static content (e.g., `/robots.txt`) and special pages (e.g.,
--- a/src/node/hooks/express.js
+++ b/src/node/hooks/express.js
@ -181,7 +181,7 @@ exports.restartServer = async () => {
    secret: settings.sessionKey,
    store: sessionStore,
    resave: false,
-    saveUninitialized: true,
+    saveUninitialized: false,
    // Set the cookie name to a javascript identifier compatible string. Makes code handling it
    // cleaner :)
    name: 'express_sid',