diff --git a/HISTORY.md b/HISTORY.md
index 3d6753c0..27694bbe 100644
--- a/HISTORY.md
+++ b/HISTORY.md
@@ -1,6 +1,7 @@
 unreleased
 ==========
 
+  * Fix issue where `Set-Cookie` `Expires` was not always updated
   * Methods are no longer enumerable on `req.session` object
   * deps: cookie@0.3.1
     - Add `sameSite` option
diff --git a/index.js b/index.js
index 4f465609..8bec911d 100644
--- a/index.js
+++ b/index.js
@@ -192,19 +192,21 @@ function session(options){
         return;
       }
 
-      var cookie = req.session.cookie;
+      if (!shouldSetCookie(req)) {
+        return;
+      }
 
       // only send secure cookies via https
-      if (cookie.secure && !issecure(req, trustProxy)) {
+      if (req.session.cookie.secure && !issecure(req, trustProxy)) {
         debug('not secured');
         return;
       }
 
-      if (!shouldSetCookie(req)) {
-        return;
-      }
+      // touch session
+      req.session.touch();
 
-      setcookie(res, name, req.sessionID, secrets[0], cookie.data);
+      // set cookie
+      setcookie(res, name, req.sessionID, secrets[0], req.session.cookie.data);
     });
 
     // proxy end() to commit the session
@@ -285,9 +287,6 @@ function session(options){
         return _end.call(res, chunk, encoding);
       }
 
-      // touch session
-      req.session.touch();
-
       if (shouldSave(req)) {
         req.session.save(function onsave(err) {
           if (err) {
diff --git a/test/session.js b/test/session.js
index 35f20de2..b6b6f01d 100644
--- a/test/session.js
+++ b/test/session.js
@@ -255,6 +255,34 @@ describe('session()', function(){
     })
   })
 
+  it('should update cookie expiration when slow write', function (done) {
+    var app = express();
+    app.use(session({ rolling: true, secret: 'keyboard cat', cookie: { maxAge: min }}));
+    app.use(function (req, res, next) {
+      req.session.user = 'bob';
+      res.write('hello, ');
+      setTimeout(function () {
+        res.end('world!');
+      }, 200);
+    });
+
+    request(app)
+    .get('/')
+    .expect(shouldSetCookie('connect.sid'))
+    .expect(200, function (err, res) {
+      if (err) return done(err);
+      var originalExpires = expires(res);
+      setTimeout(function () {
+        request(app)
+        .get('/')
+        .set('Cookie', cookie(res))
+        .expect(shouldSetCookie('connect.sid'))
+        .expect(function (res) { assert.notEqual(originalExpires, expires(res)); })
+        .expect(200, done);
+      }, (1000 - (Date.now() % 1000) + 200));
+    });
+  });
+
   describe('when response ended', function () {
     it('should have saved session', function (done) {
       var saved = false