I'm using passport-local. I have a logout method that calls req.logout to end the session. The problem is it doesn't clear req.session so connect saves a bogus session entry to redis when req.send is called:
Before logout:
1) "{\"cookie\":{\"originalMaxAge\":259200000,\"expires\":\"2014-03-21T22:03:55.265Z\",\"httpOnly\":true,\"path\":\"/\"},\"passport\":{\"user\":\"bn\"}}"
After logout:
1) "{\"cookie\":{\"originalMaxAge\":259200000,\"expires\":\"2014-03-21T22:04:01.148Z\",\"httpOnly\":true,\"path\":\"/\"},\"passport\":{}}"
Is this something we're expected to take care of ourselves?
It only removes the user from the session, since that is all it put there. If you want other things removed, that's an application's responsibility, since it would have been the application that added them.
I just had this same question. It would be helpful to others if the documentation were updated to reflect your answer, i.e. that the application must destroy the session separately. Currently the docs can give the impression that passport would take care of destroying the entire session: "Invoking logout() will remove the req.user property and clear the login session (if any)."
@jaredhanson what about the following use case. Using express with the middleware stacked like so (coffeescript sorry):
app.use express.session(
secret: sessionSecret
store: sessionStore
#set cookie expiration in ms
cookie: { maxAge: (oneDay*3000) }
proxy: true
)
app.use passport.initialize()
app.use passport.session({pauseStream: true})
app.use app.router
Then a login route like so:
app.post "/login", passport.authenticate("local"), (req, res, next) ->
If the authenticate fails 401 is returned directly by the passport authenticate middleware. When are we supposed to clean the session up that got created by the session middleware earlier in the stack?
I suppose we should be cleaning it up in the strategy implementation?
@jaredhanson I'm confused by this behavior, if passport does not have to destroy the session why it opens it in the first place? maybe it should ask to created in the strategy definition or when serializing. Like @ihinsdale said, as least it should be in the documentation, I thought this was a bug. If you need help I'll be glad to help with this.
i had the same question.
"req.logout doesn't remove session in sessionStore with connect-mongo"
I took a look at this and #246 today. I've traced the calls while monitoring Redis, and the express-session API has changed since the middle of this issue timeline.
expressjs/session#50 (2014 June 14) added a new unset option, where the session will be destroyed during res.end. RedisStore must be initialized with option unset: "destroy" and res.session must be null :
https://github.com/expressjs/session/blob/cd6b0879af2792aeb832bf072dd73327f54adde6/index.js#L242
passport does remove the user information after logout, I think the unset solution from express-session to clean up at the end of the response is sensible.
Wondering about this myself. Maybe just a documentation issue like others have mentioned.
I've just come across this with the same problem. I'd be happy for a documentation change to be made.
I have come across the same problem, is there anyway to delete the session on logout?
Any further update guys ?? I'm using this :
request.session.destroy()
This does clear session for me.
I'm in a case where I want to destroy another session. How can I do that? I don't find any doc about that.
For the story, I'm implementing a "max sessions limit" which automatically deletes the oldest session, which won't be the current session. https://github.com/expressjs/session#sessiondestroycallback
Well, I actually just found it in the doc. https://github.com/expressjs/session#storedestroysid-callback
Gonna give it a try.
Guys, take a look at this, I coded a redis function to manually destroy the session but found out today that I could remove it and just set the variable unset to 'destroy' under Session.
var sess = {
name: '***'
, secret : '***'
, proxy: true
, secure: false
, ephemeral: false
, duration: cookie_duration
, activeDuration: cookie_duration
, resave: false
, saveUninitialized: true
, store: app.store
**, unset: 'destroy'**
}
https://github.com/expressjs/session
```
Control the result of unsetting req.session (through delete, setting to null, etc.).
The default value is 'keep'.
'destroy' The session will be destroyed (deleted) when the response ends.
'keep' The session in the store will be kept, but modifications made during the request are ignored and not saved.
const express_session = require('express-session'),
RedisStore = require('connect-redis')(express_session)
app.set('redis_store', new RedisStore({
client: new Redis({
db: 5
}),
ttl: 60 * process.env.session_exp_mins
}))
app.set('session_vars', {
prefix: process.env.session_prefix,
secret: process.env.session_secret,
name: process.env.session_name,
store: app.get('redis_store'),
rolling: true,
saveUninitialized: true,
unset: 'destroy',
resave: true,
proxy: process.env.protocol === 'https',
logErrors: process.env.debug === 'true',
cookie: {
path: '/',
domain: '.' + process.env.app_domain,
secure: process.env.protocol === 'https',
maxAge: 60000 * process.env.session_exp_mins,
httpOnly: true,
expires: false
}
})
app.set('session', express_session(app.get('session_vars')))
app.use(app.get('session'))
Delete Session
req.session.destroy(() => {
console.log('redis_store destroy: ' + process.env.session_prefix + sess_id)
// sess:Jv3OG0YStN6fJ6u62uMmljPlhGZU6etu
app.get('redis_store').destroy(process.env.session_prefix + sess_id, () => {
})
})
Most helpful comment
Any further update guys ?? I'm using this :
This does clear session for me.