Shouldn't readSession return an empty object {} (as the comment on the t...

[pdobrev]

...op of the function says), instead of undefined if the cookie is not present?

Some middlewares that rely on the session (like everyauth) complain that it is undefined. Does this change have some security implications?

[pdobrev]

bump?

[refack]

:+1:

[jfromaniello]

:+1: