Problem
AUTH_MODE=enabled currently treats any non-empty session cookie as authenticated. That preserves the existing login handler behavior, but it is not a real server-side session model.
Desired outcome
Implement a server-side session store backed by persisted security state or another explicit session backend.
Acceptance criteria
- Login creates an opaque session ID with server-side state.
- Middleware validates the session against that store instead of accepting any non-empty cookie.
- Logout invalidates the session.
- Expiry/rotation behavior is documented and tested.
- Existing helper app-password authentication continues to work independently.
Problem
AUTH_MODE=enabledcurrently treats any non-emptysessioncookie as authenticated. That preserves the existing login handler behavior, but it is not a real server-side session model.Desired outcome
Implement a server-side session store backed by persisted security state or another explicit session backend.
Acceptance criteria