Does Passport's logout function remove the cookie? If not, how does it work?

Question

From the docs:

Passport exposes a logout() function on req (also aliased as logOut()) that can be called from any route handler which needs to terminate a login session. Invoking logout() will remove the req.user property and clear the login session (if any).

app.get('/logout', function(req, res){   req.logout();  
res.redirect('/'); });

From reading this and testing myself, it doesn't seem that logout removes the cookie from the client. From what I understand, when the client makes a request, it sends along it's cookie, which Passport deserializes and transforms into req.user.

Assuming that logout doesn't remove the cookie and that Passport uses the cookie to determine whether or not the user is logged in, how does the logout function actually log the user out?

Answer 1

I'm coming across this question about four years later, and fortunately, I think I understand it now.

Passport's logout function does not clear the session ID cookie for you. However, that isn't actually a problem. I'll explain why.

When you are logged in, here is how things work. When you send a request to the server, the session ID cookie is sent along with the request. Then the server takes that session ID, looks up the corresponding user with an active session, and populates req.user for you.

With that said, think about what happens if you log out, but don't clear that session ID cookie. Next time a request is sent, the cookie will still be sent along, because it wasn't cleared. But then what happens? It'll try to look up the corresponding user with an active session... but it won't find anything! So req.user won't end up being populated. That's why it isn't a big deal whether or not that cookie gets deleted.