express-session call such code to ensure http header has been sent before writing data.
But nodejs has include such code in the ServerResponse class write function.

Another side we should consider is that http2.Http2ServerResponse does not have the property of _implicitHeader. When we start server via http2, the express-session will break.

Hello, and thank you for your issue. Yes, the internal write function would call that, but where it is called in this module happens before the internal write function, as it overrides it. Without calling it, none of the automatic response headers will be present to inspect before the decision making this module does, as well as causes strange issues when res.end gets called twice, among other issues.

If you have a solution that uses a different method but keeps all the behavior intact, please contribute a pull request :) !

has pulled a request : #900

I had the same issue : http2 + express-session and the latest version of express-session 1.17.3 did not help.
express-session is not the only module impacted: I saw people having the same issue with express-compression.

NB.: I am not using ExpressJS, but my framework allows me to use modules/plugins from ExpressJS

Option 1)
You don't have the time to wait for a fix, you can intercept your response and add a test inside your script right before calling res.end(...)

if (!res._implicitHeader) {
    // Hack required until `express-<plugin>` get support for http2 (express-session)
    res._implicitHeader = function(){ return; }; // Don't need, don't care
}
res.end();

This worked for me.

Option 2)
For those brave enough to fixe this issue for people like me.
Open express-session/index.js line @275

You should have something like:

if (!res._header) {
    res._implicitHeader()
}

Needs to be replaced by:

if (!res._header && res._implicitHeader) {
    res._implicitHeader()
}

This will skip the call for people using http2 or when res._implicitHeader not defined.

Let me know if it worked for you guys.