If this video didn't make sense: expresssession always calls session.touch() on every request. This does two things: (1) resets session.expires date to keep it alive (but does NOT actually save it to Redis), and (2) resets TTL (timetolive) in Redis to its original cookie.maxAge ÷ 1000 (in seconds). Why is this a problem? Because it leaves session.expires out of sync with TTL, and opens a backdoor for infinite sessions. There is no way to opt out of this! But we can work around it.

What did we do? We set "resave: true" so that when its expiry date is reset, the session is resaved to the store to reflect that change, and also to stay in sync with TTL. We also set "rolling: true" to send a new cookie should the expiry date change. This way, we keep all three (the expiry date, the TTL, and the cookie) in sync. Your session stays alive as long as you keep using the site, but after you leave for 2+ hours, you have to log back in. The 2 hours could be 12, 24, etc. hours at your discretion. IMO that's the most reasonable approach given the constraints.