moderator
A session is already started before someone can login your application. (In fact the csrf token will not work without a session) So if someone access the login page (Or any other public available page) that has sessions enabled you will get a new record in your database.
You can try it by visiting your site in incognito / privacy modes of your brower without login and check the table.
Sign in to participate in this thread!
