GitHub Security Fix: CookieSessionAuthMiddleware Bug Allowed Empty User IDs as Authenticated

A critical security flaw in a widely used authentication middleware has been patched. The vulnerability, tracked in GitHub issue #3410, stemmed from the `CookieSessionAuthMiddleware` incorrectly treating sessions with an empty or missing `user_id` field as fully authenticated users. This bug effectively allowed corrupted or incomplete session data to bypass authentication checks, creating a potential vector for unauthorized access.

The issue was rooted in the use of `unwrap_or_default()` on the session data. When the `user_id` field was absent, this method would return an empty string, which was then passed to `AuthState::authenticated()`. This logic flaw meant the system recognized a session with no real identity as valid and logged in. The fix introduces a guard clause that checks for an empty `user_id` string after the default unwrap. If the `user_id` is empty, the middleware now destroys the corrupted session and correctly returns `AuthState::anonymous()`, closing the security gap.

The patch was rigorously tested with new unit tests, including `test_empty_user_id_produces_anonymous_and_destroys_session` and `test_missing_user_id_produces_anonymous`. These tests confirm that sessions with an empty string or a missing key now reliably result in an anonymous authentication state. This fix is a non-breaking change but is essential for any project relying on this middleware to maintain secure user session handling and prevent unintended authentication.