The originalId == req.session.id check is redundant, we can use isNew.
All the set-cookie skip conditions require !isNew, so we can put them under this condition.
originalId == req.session.id
Now that we have hasLongExpires, i think that we can remove the hash check originalHash == hash(req.session). Sessions with an expiration time under the "long" threshold will act like rolling sessions, updating the cookie on each request, regardless of changes to any stored data.
originalHash == hash(req.session)
I will update the pr if this seems reasonable.
session: simplify set-cookie
I will reopen this from a branch.