Node JS, express-session, remove cookie from client browser

Question

I work with app, that already has its own infrastructure. The task is to prevent user login in several browser. Our application has single app architecture, so ideally user should work only in one browser tab. And I have a problem. I can’t remove cookie from client.

I. Briefly.

App settings:

Server: NodeJS Port: 8083

Client: VueJS Port: 8088

I use module express-session to initialize session mechanism on server side and send cookies to client. Client hasn’t set cookies.

II. Details:

Server’s root file is index.js

I do the following in it:

1. Plug in express module:

const express = require('express')

2. Plug in cors module:

const cors = require('cors')

3. Add cors settings:

app.use(cors({
    origin: 'http://localhost:8088',
    credentials: true
}))

Then I initialize session in user.js file and receive client’s connects:

1. Plug in express-session module:

const session = require('express-session')

2. Plug in routing by express.Router():

const router = express.Router()

3. Add session settings:

const EIGHT_HOURS  = 1000 * 60 * 60 * 8
const {
    SESS_NAME = 'sid',
    SESS_LIFETIME = EIGHT_HOURS,
    SESS_SECRET = 'test',
    NODE_ENV = 'development'
} = process.env
const IN_PROD = NODE_ENV === 'production'

4. Initialize session:

router.use(session({
    name: SESS_NAME,
    resave: false,
    saveUninitialized: false,
    secret: SESS_SECRET,
    cookie: {
        maxAge: SESS_LIFETIME,
        sameSite: false,
        // Must have HTTPS to work 'secret:true'
        secure: IN_PROD
    }
}))

5. Receive client queries by router.post()

So what I did:

1. I use req.session.destroy to remove session data and expect the browser logout user from certain browser and cookies clear.

req.session.destroy(err => {
            if (err) {
                return res.send({ error: 'Logout error' })
            }
            res.clearCookie(SESS_NAME, {path: '/'})
            return res.send({ 'clearSession': 'success' })
        })

Unfortunately nothing magic happens

2. I read different topics. For example, here (GitHub) offer the conclusion: use explicit cookie’s path indication in res.clearCookie method as shown above. That didn’t work.

3. Wrote this setting {path: '/'} in cookies settings. Didn’t work too.

router.use(session({
    name: SESS_NAME,
    resave: false,
    saveUninitialized: false,
    secret: SESS_SECRET,
    cookie: {
    path: '/',
        maxAge: SESS_LIFETIME,
        sameSite: false,
        // Must have HTTPS to work 'secret:true'
        secure: IN_PROD
    }
}))

And as wrote in express-session documentation (NPM:express-session) this path is the default path for cookie storage.

4. Add req.session = null in req.session.destroy:

req.session.destroy(err => {
            if (err) {
                return res.send({ error: 'Logout error' })
            }
            req.session = null
            res.clearCookie(SESS_NAME, {path: '/'})
            return res.send({ 'clearSession': 'success' })
        })

That didn’t work

5. delete req.session doesn’t work too.

So, how can I resolve this problem? What should I do?

Answer 1

adding .send('cleared cookie') made my browser clear its cache of the named cookie.

const logOutRequest = (req, res) => {
      req.session.destroy((err) => {
         res.clearCookie("notcookie").send('cleared cookie');
      });
    };