This is breaking functional tests of the SecurityBundle (which rely on the session), so something is wrong in your patch

Will check it later. Seems that there is nobody try to start session at login

Done.

As I said before there is BC, Security tests don't start session at login action, but has option "require_previous_session", this why they don't pass. I make changes in that tests to fix this.

Also I create another PR #10310 that haven't BC problem, but use less right way. On my mind #10310 is better PR, people who care about start session on read operation can use its own storage, that implement LazySessionStorageInterface, and don't need to wait major version. And later on major version this interface can be merged with SessionStorageInterface with BC.

I think to close this PR, because of this line in storage:

return isset($_COOKIE[session_name()]);

Actually hasPreviousSession in Storage must have Request to work like in Request::hasPreviousSession, but this is very big changes and I'm not sure that this will be right changes and now I haven't idea, how to solve this.

Isn't this a compatibility break, as the session no longer starts automatically?

Maybe a add a new LazySession class which implements this 'new' logic without breaking the current situation. In the new class you then can enforce that that the storage implements lazy loading (LazySessionStorageInterface).

Isn't this a compatibility break, as the session no longer starts automatically?
Kind of. Now it starts automatically even on read operations, where is no session at all.
For example if I call Session::get - session will be started and it is easy (and not obvious) that you first need to check isStarted().

I will think about LazySessionInterface or maybe just check only isStarted inside Session read methods (without additionally check hasPreviousSession).