`SessionStore.update_session_state' and `failed_to_verify_session' don't mark the session store as dirty, meaning that the changes made by these methods may not be written to disk. Both of these methods are called part of session verification, so assuming the consumer of the session information fields that are changed by these methods verifies the session(s) first this bug will go unnoticed. The only consumer of these fields that do not verify them beforehand I could find is `tlctl session list'. We should also probably take a closer look around for other places which may make the session store dirty but don't mark it as such.
