Session::cleanup() is not called before shutdown

[joshmcrae]

Tempest version

2.9.3

PHP version

8.4

Operating system

macOS

Description

When a FlashValue is retrieved from the session, its key is expired immediately. Nowhere in the default request lifecycle however does the Session::cleanup() method get called to actually remove these values from the session data.

I note that HttpApplication::run() calls SessionManager::cleanup() at the end of a request, but given that there's a command for this and it's supposed to be run only occasionally, I think it's a typo and should actually be called on Session.

Steps to reproduce

1. Create a custom Request class with some validation rules
2. Create a controller route that renders a form (using x-input for one or more of the fields accepted by the request) and another that accepts the custom request class
3. Submit the form with invalid data
4. Observe that a flash value is set for the original values and another for errors
5. Perform a GET on the original route and notice that the flash values stay in place - they will not disappear from the form until other data is submitted.

[joshmcrae]

It appears that this used to be how it worked, but #1688 swapped to cleaning up the session manager.

[brendt]

Yeah the change in #1688 turns out to be my mistake.

That being said, the previous code also had an issue: it always cleaned the session even if no session was present. That meant a sessions would have been started every time for every request, even when it wasn't necessary.

I'm going to clean this up