This change modifies the SessionInactivityTimeout middleware to prevent
the session ID from changing on every request while still enforcing the
inactivity timeout.
Key improvements:
- Store datetime values as ISO strings for proper serialization
- Implement hybrid session save approach that only allows full session
saves periodically (controlled by SESSION_SAVE_FREQUENCY_SECONDS)
- Preserve session ID between requests while still tracking user activity
This resolves the issue where lms_sessionid was changing on every user
interaction, which caused problems.
BREAKING CHANGE: The breaking change is that SESSION_ACTIVITY_SAVE_DELAY_SECONDS was introduced with a 15 minute default, which will change the current behavior. It is not necessarily breaking (since it actually fixes an issue), but this is to bring more attention to the new setting because the default is reasonable, but also somewhat arbitrary.
6f13c1e1cd