sidebase · interpretor · Nov 28, 2022 · Nov 28, 2022 · Nov 28, 2022 · Nov 30, 2022
diff --git a/README.md b/README.md
@@ -220,7 +220,9 @@ Here's what the full _default_ module configuration looks like:
     // The request-domain is strictly used for the cookie, no sub-domains allowed
     domain: null,
     // Sessions aren't pinned to the user's IP address
-    ipPinning: false
+    ipPinning: false,
+    // Sessions are saved to the store, even if they were never modified during the request
+    resave: true
   },
   api: {
     // The API is enabled

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -35,6 +35,7 @@
     "argon2": "^0.30.2",
     "dayjs": "^1.11.6",
     "defu": "^6.1.0",
+    "fast-deep-equal": "^3.1.3",
     "h3": "^1.0.1",
     "unstorage": "^1.0.1"
   },

diff --git a/src/module.ts b/src/module.ts
@@ -23,7 +23,8 @@ const defaults: FilledModuleOptions = {
       options: {}
     },
     domain: null,
-    ipPinning: false as boolean|SessionIpPinningOptions
+    ipPinning: false as boolean|SessionIpPinningOptions,
+    resave: true
   },
   api: {
     isEnabled: true,

diff --git a/src/runtime/server/middleware/session/index.ts b/src/runtime/server/middleware/session/index.ts
@@ -1,6 +1,7 @@
 import { deleteCookie, eventHandler, H3Event, parseCookies, setCookie } from 'h3'
 import { nanoid } from 'nanoid'
 import dayjs from 'dayjs'
+import equal from 'fast-deep-equal'
 import { SameSiteOptions, Session, SessionOptions } from '../../../../types'
 import { dropStorageSession, getStorageSession, setStorageSession } from './storage'
 import { processSessionIp, getHashedIpAddress } from './ipPinning'
@@ -129,17 +130,23 @@ const ensureSession = async (event: H3Event) => {
 }
 
 export default eventHandler(async (event: H3Event) => {
+  const sessionOptions = useRuntimeConfig().session.session as SessionOptions
+
   // 1. Ensure that a session is present by either loading or creating one
-  await ensureSession(event)
+  const session = await ensureSession(event)
+  // 2. Save current state of the session
+  const source = { ...session }
 
-  // 2. Setup a hook that saves any changed made to the session by the subsequent endpoints & middlewares
+  // 3. Setup a hook that saves any changed made to the session by the subsequent endpoints & middlewares
   event.res.on('finish', async () => {
     // Session id may not exist if session was deleted
     const session = await getSession(event)
     if (!session) {
       return
     }
 
-    await setStorageSession(session.id, event.context.session)
+    if (sessionOptions.resave || !equal(event.context.session, source)) {
-    if (sessionOptions.resave || !equal(event.context.session, source)) {
+    if (sessionOptions.resave || sessionOptions.rolling || !equal(event.context.session, source)) {
-    if (sessionOptions.resave || !equal(event.context.session, source)) {
+    if (sessionOptions.resave || sessionOptions.rolling || !equal(event.context.session, source)) {
+      await setStorageSession(session.id, event.context.session)
+    }
   })
 })
diff --git a/src/types.ts b/src/types.ts
@@ -82,6 +82,13 @@ export interface SessionOptions {
    * @type {SessionIpPinningOptions|boolean}
    */
   ipPinning: SessionIpPinningOptions|boolean,
+  /**
+   * Forces the session to be saved back to the session store, even if the session was never modified during the request.
+   * @default true
+   * @example false
+   * @type boolean
+   */
+  resave: boolean
 }
 
 export interface ApiOptions {