SimpleMachines · sbulen · Feb 23, 2026 · Mar 13, 2026 · Mar 13, 2026 · Apr 11, 2026
diff --git a/Sources/Session.php b/Sources/Session.php
@@ -31,6 +31,8 @@ function loadSession()
 	@ini_set('session.use_cookies', true);
 	@ini_set('url_rewriter.tags', '');
 	@ini_set('arg_separator.output', '&amp;');
+	@ini_set('session.lazy_write', true);
+	@ini_set('session.cookie_secure', empty($modSettings['secureCookies'] ? false : true));
 
 	// Allows mods to change/add PHP settings
 	call_integration_hook('integrate_load_session');
@@ -172,12 +174,19 @@ public function read(/*PHP 8.0 string*/$id)/*PHP 8.0: string|false*/
 	#[\ReturnTypeWillChange]
 	public function write(/*PHP 8.0 string*/$id,/*PHP 8.0 string */ $data): bool
 	{
-		global $smcFunc;
+		global $smcFunc, $scripturl, $context, $modSettings;
+		// Any action that is not dependent on data within the session may be added to this array
+		static $no_writes = array('dlattach');
 
 		// Don't bother writing the session if cookies are disabled; no way to retrieve it later
 		if (empty($_COOKIE))
 			return true;
 
+		// Don't bother writing the session for users just browsing
+		// If verification is required, always write the session
+		if ((empty($_REQUEST['action']) || in_array($_REQUEST['action'], $no_writes, true)) && !empty($scripturl) && empty($context['require_verification']) && !empty($modSettings['allow_guest_access']))
+			return true;
+
 		if (!$this->isValidSessionID($id))
 			return false;