Explicitly calling save on a session can result in wrong expiry date

[kheyse-autodesk]

Due to the implementation of the PGStore.touch method, the expiry date in sess.cookie may be out of sync with the value in the expire column in the PG database. This is typically not a problem since only this expire column is used to filter expired sessions.
However, when explicitly calling sess.save(), the expiry date stored in sess.cookie is put into the expire column in the database (https://github.com/voxpelli/node-connect-pg-simple/blob/master/index.js#L214). Because the expiry date in sess.cookie may be a lot older than the actual expiry date stored in the expire database column, this is a problem.

When you don't call the sess.save() function explicitly, you don't notice this problem. Express-session will automatically call sess.touch() before calling sess.save() https://github.com/expressjs/session/blob/master/index.js#L237.
A workaround for me is to explicitly call sess.touch() before sess.save().

[voxpelli]

Not sure I follow – both .save() and .touch() updates the expiry time in the database and both derives the value from the session cookie? Can you explain a bit more?