The problem with lazy registration, and with letting sessions be
created willy-nilly, is that search engines don't keep cookies. So
Googlebot was merrily creating a session for every page it looked at,
and periodically I'd just clean out the sessions file, no biggie. Only,
at the moment I'm using a timestamp for a session id (partly because it
made debugging easier, partly because I was too lazy to set up a guid
yet) and we were encountering duplicate keys (because we get hit five
or six times a second by various search engines... my prediction for
the Next Big Thing: search spider aggregators). No biggie there either,
other than every time Postgres tried to write a duplicate key, it wrote
a warning to the error log.
Which filled up var last night. That *is* a biggie.
So I got around to half of my eventual fix for that: when a temporary
session is handed out, it *isn't* written to the session file. When it
comes back as a cookie, *then* it's written. (We don't trust
temporary-user sessions that much anyway, so it's no big deal if
someone "forges" their own. They're only used for user-convenience
features, not serious authentication. For that you have to register
slightly less lazily.)
Right now, it's not writing temporary sessions at all, which is okay.
I'll fix and test it in the next release, which will happen soon... I
almost have everything moved to the new server, so I can have the old
new server for dev.
