expressjs · dtymon · Dec 19, 2017 · Dec 19, 2017 · Dec 19, 2017 · Dec 20, 2017
diff --git a/index.js b/index.js
@@ -336,7 +336,7 @@ function session(options) {
         });
 
         return writetop();
-      } else if (storeImplementsTouch && shouldTouch(req)) {
+      } else if (rollingSessions && storeImplementsTouch && shouldTouch(req)) {
         // store implements touch method
         debug('touching');
         store.touch(req.sessionID, req.session, function ontouch(err) {

diff --git a/test/session.js b/test/session.js
@@ -1,4 +1,3 @@
-
 process.env.NO_DEPRECATION = 'express-session';
 
 var after = require('after')
@@ -1074,7 +1073,7 @@ describe('session()', function(){
     it('should pass session touch error', function (done) {
       var cb = after(2, done)
       var store = new session.MemoryStore()
-      var server = createServer({ store: store, resave: false }, function (req, res) {
+      var server = createServer({ store: store, resave: false, rolling: true }, function (req, res) {
         req.session.hit = true
         res.end('session saved')
       })
@@ -1099,6 +1098,28 @@ describe('session()', function(){
         .end(cb)
       })
     })
+
+    it('should not touch with bogus req.sessionID', function (done) {
+      var store = new session.MemoryStore()
+      var server = createServer({ store: store, resave: false, rolling: true }, function (req, res) {
+        req.sessionID = function () {}
+        req.session.test1 = 1
+        req.session.test2 = 'b'
+        res.end()
+      })
+
+      request(server)
+      .get('/')
+      .expect(shouldNotHaveHeader('Set-Cookie'))
+      .expect(200, function (err) {
+        if (err) return done(err)
+        store.length(function (err, length) {
+          if (err) return done(err)
+          assert.equal(length, 0)
+          done()
+        })
+      })
+    })
   });
 
   describe('saveUninitialized option', function(){
@@ -1702,7 +1723,7 @@ describe('session()', function(){
     describe('.touch()', function () {
       it('should reset session expiration', function (done) {
         var store = new session.MemoryStore()
-        var server = createServer({ resave: false, store: store, cookie: { maxAge: min } }, function (req, res) {
+        var server = createServer({ resave: false, rolling: true, store: store, cookie: { maxAge: min } }, function (req, res) {
           req.session.hit = true
           req.session.touch()
           res.end()