don't create a session if it does not exists

src/main/java/com/commafeed/backend/service/UserService.java

@@ -75,10 +75,12 @@ public class UserService {
 	 * try to log in by checking if the user has an active session
 	 */
 	public Optional<User> login(HttpSession session) {
-		User user = (User) session.getAttribute(SESSION_KEY_USER);
-		if (user != null) {
-			afterLogin(user);
-			return Optional.of(user);
+		if (session != null) {
+			User user = (User) session.getAttribute(SESSION_KEY_USER);
+			if (user != null) {
+				afterLogin(user);
+				return Optional.of(user);
+			}
 		}
 		return Optional.absent();
 	}

src/main/java/com/commafeed/frontend/auth/SecurityCheckProvider.java

@@ -67,7 +67,7 @@ public class SecurityCheckProvider implements InjectableProvider<SecurityCheck,
 		}
 
 		private Optional<User> cookieSessionLogin() {
-			return userService.login(request.getSession());
+			return userService.login(request.getSession(false));
 		}
 
 		private Optional<User> basicAuthenticationLogin(HttpContext c) {

src/main/java/com/commafeed/frontend/servlet/CustomCssServlet.java

@@ -36,7 +36,7 @@ public class CustomCssServlet extends HttpServlet {
 		final Optional<User> user = new UnitOfWork<Optional<User>>(sessionFactory) {
 			@Override
 			protected Optional<User> runInSession() throws Exception {
-				return userService.login(req.getSession());
+				return userService.login(req.getSession(false));
 			}
 		}.run();
 		if (!user.isPresent()) {

src/main/java/com/commafeed/frontend/servlet/NextUnreadServlet.java

@@ -53,7 +53,7 @@ public class NextUnreadServlet extends HttpServlet {
 		final Optional<User> user = new UnitOfWork<Optional<User>>(sessionFactory) {
 			@Override
 			protected Optional<User> runInSession() throws Exception {
-				return userService.login(req.getSession());
+				return userService.login(req.getSession(false));
 			}
 		}.run();
 		if (!user.isPresent()) {