Prevent session creation for sessionless users

What does this MR do and why?

When "Expire from time of session creation" is enabled and sessionless auth is used, we should not set session['signed_in_at'] as this would generate a lot of session data in Redis that is only used once.

References

Related to #574619

How to set up and validate locally

1. In the instance admin settings "General" > "Account and limit", set "Expire from time of session creation". Restart GDK
2. Generate a personal access token for a user
3. On one terminal, run gdk redis-cli monitor | grep "sefie" to monitor the Redis commands
4. On another terminal, run curl 'http://gdk.test:3000/api/graphql' -X POST -H 'Authorization: Bearer <PAT>' -H 'content-type: application/json' --data-raw '{"variables":{},"query":"{ currentUser { id } }"}' (Replace <PAT> with the actual token)

Before this MR, you will notice that a new Redis entry is created every time you make the GraphQL request. It looks something like:

1759818067.237595 [5 unix:/Users/work/Projects/gdk/redis/redis.socket] "set" "session:gitlab:2::d8c98be5218cb3263532a3115fbd5d0bf416953f9dff8d8ea43fc8dc9e24bec7" "\x04\bo: ActiveSupport::Cache::Entry\t:\x0b@value{\x06I\"\x1dwarden.user.user.session\x06:\x06ET{\x06:\nsefie{\x06I\"\x11signed_in_at\x06;\aTl+\aS\xb1\xe4h:\r@version0:\x10@created_atf\x060:\x10@expires_inf\x171760422867.2375412" "PX" "604800000"

These are sessions without warden.user.user.key but contain the signed_in_at value only.

With the changes in this MR, signed_in_at would only be set for sessions with warden.user.user.key (i.e. web sessions)

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.