Reputation: 664
Express-session confusion attempting to delete session and cookie
I am running a Node.js/Express application using the 'express-session' module for handling session variables. Everything seems fine until I attempt to delete the session data AND the cookie. One code attempt to accomplish this is as follows:
if (typeof req.session.user != "undefined") {
req.session.destroy(function(err) {
res.cookie("connect.sid", "", {
path: "/",
httpOnly: true,
secure: false,
expires: new Date(1)
});
});
}
This code throws the following error: "TypeError: Cannot read property 'id' of undefined". I have no idea what the issue is. However if I remove the 'req.session.destroy' part, as here:
if (typeof req.session.user != "undefined") {
// req.session.destroy(function(err) {
res.cookie("connect.sid", "", {
path: "/",
httpOnly: true,
secure: false,
expires: new Date(1)
});
// });
}
No error is thrown using the above code...however obviously the session variables still exist. I am having difficulty determining if the cookie was in fact deleted. Evidently (the first block of code above) doesn't like the "connect.sid" name being passed, which should be fine since I am using the default value and have not assigned a different name for the cookie.
I have spent a great amount of time trying to resolve how to 'properly' bring an end to an 'express-session'. For example:
...I have used the fs module to remove the session variables from my 'store.txt' file however (surprisingly) that does not 'destroy' the session. The session variables continue to 'live' upon another run of the application.
...I have also attempted to pass a destroy particular session variables by passing a 'session ID' such as 'req.session.destroy(session ID)' without any success...
...However just calling 'req.session.destroy()' will properly delete the current session, however I require the ability to eliminate particular session information (for example 'stale/inactive' sessions that I am trying to remove) and the inability to do that is maddening. That is why I attempted to pass the 'session ID' with my 'destroy' calls above.
...I have intentionally not defined an "expires" for the cookie, which according to the documentation should treat the cookie as 'non persistent'. Unfortunately it seems my session variables do in fact persist upon different runs of the application. This confuses me, if a cookie is non persistent how can the session variables identify the browser across separate executions of the application?
At this point I have essentially given up on how to bring my session(s) to an end. For some reason this seems to be very closely guarded information...or I simply am so lost it is beyond my comprehension. ANY advice on the correct way(s) to BOTH end (destroy) a session AND destroy the generated cookie is GREATLY appreciated. The 'express-session' module is so widely used I find it shocking there is such a paucity of documentation on how to accomplish these tasks correctly.
I thank you in advance.
Upvotes: 2
Views: 5001
Answers (1)
Reputation: 8856
I have also attempted to pass a destroy particular session variables by passing a 'session ID' such as 'req.session.destroy(session ID)' without any success
I think you got that wrong. req.session is always the current user's session (associated with the Request at hand). You don't need to provide IDs - you only have access to the current one. If you want to modify other user's sessions (e.g. if one user logs out, you want to log other users as well) you can use the session store object and operate on all active sessions.
You can delete a session in the following ways:
- call
req.session.destroy()- you can provide a callback function where you will have a guarantee that the session was deleted from the store (since this usually is an async operation) - if you initialize the session object like this:
session({ ..., unset: 'destroy' })- set the session to
null:req.session = null. This will destroy the underlying session once the response is finished. - delete the session property from the request object:
delete req.session. This will also destroy the session after the response ends.
- set the session to
- use the session store object:
store.destroy('MY_SESSION_ID', () => console.log('session was deleted from the store'))
All these will unset the cookie on the client no matter what expires value you have set.
Upvotes: 4
Related Questions
- Node JS, express-session, remove cookie from client browser
- node express, how to clear cookie after log out
- Express Session Cookie (connect.sid) not being deleted from browser after destroying session
- session-file-store Delete expired session files
- Express-session not deleting previous sessions
- nodejs & express delete session from sessionStore
- express-session cannot destroy session
- I can't delete cookies in Express
- Expressjs doesn't destroy session
- How to delete express session cookie