[BUG] express-session resave required despite touch being implemented

[delfuego]

Describe the bug
According to the express-session docs, the resave option should be able to safely be set to false if a given session store implements the touch method. This store (connect-mssql-v2) appears to implement touch, but in my testing, I am not seeing the sessions properly resaved without setting express-session's resave option to true.

To Reproduce
Steps to reproduce the behavior:

1. Implement a web app using express-session and connect-mssql-v2, setting express-session's cookie.maxAge setting to something (e.g., 1000 * 60 * 30 for 30 minutes), rolling to true, and resave to false.
2. Load a page from the web app, so a new session is established and saved to the MS SQL database.
3. View the session in the DB, noting the value of session.cookie.expires in the session data.
4. Reload the page from the web app.
5. View the session info again in the DB, noting that the value of session.cookie.expires is not updated.
6. Quit the web app, and change the value of express-session's resave config option to true.
7. Restart the web app.
8. Load a page again.
9. Note the session info in the DB, specifically the session.cookie.expires value.
10. Reload the page.
11. Finally, note the session info in the DB, specifically that the session.cookie.expires value has been updated properly.

Expected behavior
I would expect that the session information would be resaved even without the resave option set to true, given what is in the express-session documentation.

Desktop (please complete the following information):

• Node Version: 22.15.0
• Package Version: express-session 1.18.1, connect-mssql-v2 5.1.0

[bradtaniguchi]

Thanks for the issue report, unlike #81 this one seems a little more fickle to figure out.

I'm not sure if I or @JLuboff would be able to figure this one out as quickly/easily.

[JLuboff]

Hey @delfuego , would you be able to pull down @bradtaniguchi PR branch (#87) and test locally to see if you're still able to replicate the issue? We don't have active projects to test with, and this would be a big help!

[delfuego]

I'll try to give it a test later today! We're having massive network issues at my workplace today, so I'll wait for those to subside...

[delfuego]

I am not seeing any difference with this new code in place; if I have resave: false in my session store config, the session.cookie.expires value doesn't get updated, but when I change it back to resave: true it gets properly updated.

BUT, two things:

1. The new getExpirationDate code is looking at sessionCookie.expires, but if I log the value of sessionCookie, it looks like the parameter name actually has a leading underscore (_expires). I think that's what needs to be read, unless I'm mistaken.
2. The value I originally reported not seeing updated, which I again still don't see updated, isn't the database column expires value, it's the expires value inside the cookie — the cookie.session value in the JSON object that's stored in the session column. That's the value that needs to be updated, or else the cookie with the un-updated expiration continues to get sent to the browser, and no matter what the DB thinks, the browser will still cull it prematurely.

Happy to be wrong about this, but I think that's the issue...

[delfuego]

Hmmmm. Thought about this a bunch more last night, and then did some observability stuff this morning to see what I can understand about this.

What I know is:

• for connect-mssql-v2 as well as for two other session-store libraries I could easily test, if I set resave to false, then the the cookie expiration value that's stored in the session data in the DB (e.g., cookie.expires in the session column in connect-mssql-v2 and the data column in connect-session-sequelize) doesn't get updated.
• for all of them, if I set resave to true, that expiration value within the cookie does get updated.
• no matter what the value of resave is, the relevant session-expiration column in the DB (expires in both connect-mssql-v2 and connect-session-sequelize) does get updated.
• no matter what the value of resave is, the browser shows the cookie expiration date/time as the value that's in the session-expiration column (more or less; interestingly, the milliseconds are always slightly different).

So I guess what I now don't entirely get is: what's the purpose of the cookie.expires value that's in the JSON that's stored in the session data in the DB? Does it matter that it's not being updated when resave is false?

[JLuboff]

Sorry I still haven't found the time to properly read up on this myself, but it has not been forgotten, I promise!

[bradtaniguchi]

@JLuboff wait, could this be related to #91?

[JLuboff]

@JLuboff wait, could this be related to #91?

Sorry...missed this. It could be? I guess we'd need to have it tested :D