I'd like to get a few extra eyes on the patches in this ticket:
What they do is basically making the AbstractSessionStore not write
out a new cookie whenever the session is accessed, only when the
getter of the SessionHash is actually called (eg, when the session is
modified). The other patch changes the way flash work as well, to not
store an empty flash hash (which would modify the session hash).
The motive behind this, apart from needless Set-Cookie headers, is
that it makes expires_in and other Cache-Control directives work
pretty much out of the box with proxy caches such as Varnish (assuming
no cookies are set of course). Otherwise you'd have to mess around
with keeping magic cookies (for logged in users etc) in sync, since
basically everyone gets a cookie as it is today, which is a pain.
I don't use the CookieStore and I wasn't sure if applying a similar
approach as in the AbstractStore would break the encryption semantics
(I got test failures on the persistent session_id tests). So it's only
the stores using the AbstractStore as a base (eg ACtiveRecordStore and
MemcachedStore) who receives the above benefits.