I am using express session and mongo connect for user auth, which is used by an angular client via CORS request.
app.use(express.cookieParser());
app.use(express.session({
secret: 'xxxxxx',
store: new MongoStore({
db: 'dbname',
clear_interval: 3600,
host: 'localhost',
port: 27017
})
}));
The login works fine and the cookie is dropped and session all works as expected.
My problem is with ending the session. I have a logout route, which essentially does this:
req.session.destroy(function() {
// log out code
});
However in mongo db.sessions, the session still exists, and the sid cookie still remains on the user agent, so if the user revisits any "protected" URLs after logging out the session is regenerated.
So it looks like I need to either remove the cookie or remove the session from the db, the latter seems wrong, so I am trying to remove the cookie, but no luck, tried this in Express:
req.session.destroy(function() {
res.clearCookie('connect.sid', { path: '/' });
});
and it appears I can't delete the sid cookie on the client with javascript since it is http only (??) this didn't work:
document.cookie = 'connect.sid=; path=/; domain=localhost; expires=Thu, 01 Jan 1970 00:00:01 GMT;';
any ideas how to get rid of this annoying session cookie??!
cookieSession (options) Create a new cookie session middleware with the provided options. This middleware will attach the property session to req, which provides an object representing the loaded session. This session is either a new session if no valid session was provided in the request, or a loaded session from the request.
To delete a cookie, use the clearCookie function. For example, if you need to clear a cookie named foo, use the following code. var express = require('express'); var app = express(); app.get('/clear_cookie_foo', function(req, res) { res.clearCookie('foo'); res.send('cookie foo cleared'); }); app.listen(3000);
ExpressJS - Cookies. Cookies are simple, small files/data that are sent to client with a server request and stored on the client side. Every time the user loads the website back, this cookie is sent with the request. This helps us keep track of the user’s actions. To use cookies with Express, we need the cookie-parser middleware.
This is a Node.js module available through the npm registry. Installation is done using the npm install command: Create a new cookie session middleware with the provided options. This middleware will attach the property session to req, which provides an object representing the loaded session.
req.session.destroy()
should clear the session in the db.
Express is probably using a different sessionID when trying to destroy the session. Make sure Session.prototype.destroy
is actually pulling the correct this.id
that matches the id in mongodb.sessions
.
I just came across this issue and it was because my request to the server to log out the user wasn't containing a session cookie (Had left out withCredentials
).
$.ajax({
url: 'http://url/auth/logout',
type: 'GET',
xhrFields: {
withCredentials: true
}
});
This caused express to generate a new session id for the request and asked mongodb to remove a session with that new id (leaving the old one untouched).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With