either req.logout() or req.session.destroy() does not work

Question

Update:

It behaves consistent with my actual FB login. When I log out my facebook and then click "login" button on my website, it redirects me to facebook login page and asks me to login. After that, I come back to the webpage "profile.html" on my website correctly. However, when I click "log out" from my website, it goes to the home page of my website. This time, when I click "login" button again, it directly goes to "profile.html" of my website. It seems the last "logout" did not work at all. The "logout" can only work when I log out my facebook account. So the session used on my website relies on facebook's session. Very weird!

---

I am using PassportJS to complete my authentication job. But I found req.logout() or req.session.destroy() does not work at all.

    // route for showing the profile page
    app.get('/login', isLoggedIn, function(req, res) {
        res.render('profile', {
            user : req.user // get the user out of session and pass to template
        });
    });
    // route middleware to make sure a user is logged in
    function isLoggedIn(req, res, next) {

    // if user is authenticated in the session, carry on
    if (req.isAuthenticated()){
        console.log("req is authenticated!");
        return next();
    }

    // if they aren't redirect them to the home page
    res.redirect('/');
}    
// route for logging out
    app.get('/logout', function(req, res) {
        console.log("logging out!");
        req.logout();
        req.session.destroy();
        res.redirect('/');
    });

When I clikced logout, I can see "logging out" message. And then I was redirected to home page. When I clicked the login again, I cannot see any login window and directly went into the "profile" page. During the process, I did see "req is authenticated!" message.

My questions:

1: where is "req.isAuthenticated()" from? Why is it always being true?

2: why "req.logout()" or "req.session.destroy()" does not work?

Thanks

Derek

Answer 1

req.isAuthenticated() is part of passport. Relevant code:

req.isAuthenticated = function() {
  var property = 'user';
  if (this._passport && this._passport.instance._userProperty) {
    property = this._passport.instance._userProperty;
  }

  return (this[property]) ? true : false;
};

Checks for the property and returns a boolean.

---

req.logout() removes the property so it returns false in future requests.

---

Meanwhile, session.destroy comes from expressjs/session middleware, so it's not passport related. Maybe you are creating the session again in the index page. The question needs more info.