Reduce server load caused by anonymous viewing.

[BenLubar]

Do not start a session if the current user is not logged in for public-facing pages.

Mark pages that don't care about sessions as publicly cacheable.

Keep the max age as 0 so proxies and browsers will still try to retrieve an updated version but can still fall back to the stale version if the site is down or too slow.

Fixes #9035.

[Gargron]

@nightpool Is this safe?

[nightpool]

I don't understand why we're coupling it to skip_session, that feels like overloading the helper too much. I'll have to think about safety a little bit more. at the very least, we should make sure to add the logged in status to whatever cache key we're sending.

…

On Mon, Oct 22, 2018, 8:05 PM Eugen Rochko ***@***.***> wrote: @nightpool <https://github.com/nightpool> Is this safe? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#9059 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAORVyto9Us_jfEIdU3tDshOGJo7D9mgks5unl1ZgaJpZM4X0ZW9> .

[BenLubar]

This code is live on https://mastodon.lubar.me/ if you want to play around with it.

It shouldn't be sending any cookies or showing anything that requires logging in on pages where skip_session! is called.

[ClearlyClaire]

The added skip_session calls seem fine, but I agree with @nightpool that skip_session should probably not call expires_in itself, and that should probably be made explicitly in the caller instead.

The reason for this is that sessions aren't the only way to access private info, and tying the expires_in call to skip_session seems error-prone to me.