how to delete cookie on logout in express + passport js?

Question

I want to "delete cookies on logout". I am not able to do that. I googled for answer and found following ways:

1. Assign new date of expiration to cookie

   res.cookie('connect.sid', '', {expires: new Date(1), path: '/' });

2. Delete cookie using below lines

   res.clearCookie('connect.sid', { path: '/' });

I tried both ways individually but they do not delete the cookie.

Here is my code:

routes.js

module.exports = function(app, passport, session){
    app.get('/', function(req, res)
    {
       res.render('index.ejs');
    });

    app.get('/login', function(req,res){
     res.render('login.ejs',{message:req.flash('loginMessage')});
    });


    app.get('/signup',checkRedirect , function(req, res) {
        res.render('signup.ejs',{message: req.flash('signupMessage')});
    });
    app.get('/profile', isLoggedIn, function(req,res) {
        res.render('profile.ejs', {
            user :req.user
        });
    });
    app.post('/signup', passport.authenticate('local-signup', {
        successRedirect : '/profile',
        failureRedirect : '/signup',
        failureFlash : true
    }));
    app.post('/login',  passport.authenticate('local-login', {

        successRedirect : '/profile',
        failureRedirect : '/login',
        failureFlash :true

    }));
app.get('/logout',function(req,res){
    res.cookie('connect.sid', '', {expires: new Date(1), path: '/' });
   req.logOut();
    res.clearCookie('connect.sid', { path: '/' });
    res.redirect('/');
});

function isLoggedIn(req, res, next){

    if(req.isAuthenticated())
      return next();

    console.log("hiii");
    res.redirect('/');
}

};

server.js

    var express = require('express');
var app = express();
var port = process.env.PORT || 3000;
var mongoose = require('mongoose');
var passport = require('passport');
var flash=require('connect-flash');
var morgan=require('morgan');
var bodyParser = require('body-parser');
var cookieParser=require('cookie-parser');
//
var session=require('express-session');
var RedisStore = require('connect-redis')(session);
var redis   = require("redis");
var redis_client  = redis.createClient();
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({extended: true}));
var configDb=require('./config/database.js');
mongoose.connect(configDb.url);

require('./config/passport')(passport);

app.use(morgan('dev'));
app.use(cookieParser());
app.use(bodyParser());
app.set('view engine', 'ejs');


app.use(session({
    store: new RedisStore({
    host: '127.0.0.1',
    port: 6379,
    client: redis_client
}),
    secret : 'foo',
    resave: false,
    saveUninitialized: false
}));
app.use(function (req, res, next) {
    if (!req.session) {
        return next(new Error('oh no')); // handle error
    }
    next();
});


});

app.use(passport.initialize());
app.use(passport.session());
app.use(flash());

require('./app/routes')(app, passport, session);
app.listen(port, function(){
    console.log('server is at port' + port);
});

Answer 1

I was struggling with this issue myself. Previously I tried logout and session.destroy, and none worked for me. Then I found the above answers with the clearCookie addition, and that did the trick.

However, I was wondering if those functions are at all having any effect, given that without clearCookie they didn't. So I omitted them.

Also, as status(200) is overridden by redirect (which sets status to 302), I reckoned I'd omit that too.

As for the options to clearCookie in Will59's solution, they looked like they could be the defaults anyhow, so I tried omitting them as well.

I ended up with two lines of code bellow. They worked for me with Chrome, Firefox and Safari (the most recent versions at time of this writing).

router.get('/logout', function (req, res) {
  res.clearCookie('connect.sid');
  res.redirect('/');
});

Answer 2

res.clearCookies is kind of messed up. As an alternative, call res.cookie again with whatever options you used to create the cookie in the first place, along with expires: new Date(1), like this:

// Use the same httpOnly, secure, sameSite settings to "delete" the cookie
res.cookie("jwt", "", {
    httpOnly: true, 
    secure: true,
    sameSite: "none",    
    expires: new Date(1)
});

Essentially you are replacing the old cookie with a new one that expires immediately.

Answer 3

pjiaquan's did not work with chromium for me, the cookie was still around. The issue comes from the res.clearCookie method, as explained in http://expressjs.com/en/api.html:

Web browsers and other compliant clients will only clear the cookie if the given options is identical to those given to res.cookie(), excluding expires and maxAge.

In my case, the solution ended up being:

router.get('/logout', function (req, res) {
  req.logOut();
  res.status(200).clearCookie('connect.sid', {
    path: '/',
    secure: false,
    httpOnly: false,
    domain: 'place.your.domain.name.here.com',
    sameSite: true,
  });
  req.session.destroy(function (err) {
    res.redirect('/');
  });
});

Answer 4

Please try this:

router.get('/logout', function (req, res) {
  req.logOut();
  res.status(200).clearCookie('connect.sid', {
    path: '/'
  });
  req.session.destroy(function (err) {
    res.redirect('/');
  });
});

Answer 5

So none of the suggestions here worked for me, until I realized I was doing a dumb:

Using Github, I set up an OAuth app (you can do this in your profile settings), and used that for authentication.

Worked a charm! But it was always sending me back the same profile, even when I logged out from my app. Clearing all browser storage didn't fix it.

Then it dawned on me that I was still logged into my github account (and that was the profile I was always getting)... once I logged out of that, then the OAuth app prompted me for my user/pw again.

Answer 6

You can use req.session.destroy in logout route to destroy the session below is the code for reference :)

app.get('/logout', function(req,res){
 req.logOut();
 req.session.destroy(function (err) {
        res.redirect('/'); //Inside a callback… bulletproof!
    });
});