Passport: req.logout not working with "local strategy"

Created on 19 May 2014  Â·  42Comments  Â·  Source: jaredhanson/passport

The req.logout method doesn't seem to delete the session values when invoked.

I'm using passport-local and cookie-session, with Express.

It looks like similar issues are discussed on StackOverflow.

Any ideas what might be causing the problem?

Most helpful comment

Yeah, just figured it out, some other post helped me out with this solution, and it worked for me in conjunction with the comment mentioned. Thanks @MichhDiego ;)

app.use(session({ ... resave: false, .... }));

All 42 comments

Same thing here. Using passport-http, basic session, with restify.

I've tried both:

req.logout();
res.send( { message: 'Successfully logged out' } );

and:

req.session.destroy( function ( err ) {
    res.send( { message: 'Successfully logged out' } );
});

Neither of them are working. Any suggestions?

Got the same problem. Seems to be due to changes in Express 4.0.

Same issue here, also using Express 4 + cookie-session.

This is still a problem it would seem... anyone have a good solution yet?

Same issue here

I'm in the same boat. Any update?

Same issue here.
Express 4 + Passport

It seems only happening in Chrome (Version 38.0.2125.122.)
Is that possible ?

Follow-up: for me, it appears to have been a dependency issue (possibly deriving from an automated refactoring that didn't correctly exclude node_modules). I nuked my local node_modules directory, ran npm install, and got a working session logout.

Note that for my tests with jasmine-node and request to work correctly, I had to make sure to supply a request.jar() instance in the jar field of the request object.

Here's my logout:

// Express middleware function for logging out a user. The action is successful
// if the user is no longer authenticated.
var logout = function (req, res, next) {
  // Get rid of the session token. Then call `logout`; it does no harm.
  req.logout();
  req.session.destroy(function (err) {
    if (err) { return next(err); }
    // The response should indicate that the user is no longer authenticated.
    return res.send({ authenticated: req.isAuthenticated() });
  });
};

This works fine with [email protected], [email protected], [email protected], [email protected]. I'm using the connect-pg-simple session store middleware with it, with no issues.

same here, I'm using "express": "^4.13.3","express-session": "^1.12.1", "passport": "^0.3.2","passport-local": "^1.0.0", "sequelize": "^3.14.1".

when logouts it shows req.user = null, but after page refresh it comes again, I think problem is in

passport.deserializeUser(function (id, done) {
User.findById(id).then(function (user) {
var usr = user.get({ plain: true });
done(null, usr);
})
});

any help??

Same issue here. Any update ? @akashdeepshah you have found the solution with function passport.deserializeUser ?

@webus , Previously I was using angular service to logout and it failed, and then I tried directly and it worked !!! hope in your case it works too..

Same issue here.
Express 4 + Passport

How can I fix this? Should I downgrade Express from 4 to 3 ?!

Dears
@akashdeepshah @webus @pensierinmusica @tybenz @mathiasm74 @phof @samuraiken @johnmastri @chriskrycho @MichhDiego
It think I found a solution. Please check it out and share your results.
I use Express v4.13.4 and Passport v0.3.2 in my project. When I want to checkout logged in user, I use req.isAuthenticated() and store it's returned value in a variable. for example:

var _LoggedIn = (req.isAuthenticated() ? true : false);

so, I don't use req.user anymore, and it works for me, and I hope it works for all of us. finally, if I did anything wrong, tell me please. thanks. :)

@omidgolparvar I am really thankful for your answer, but that project is dead! Haha, thanks again anyways.

Any update on this? Still having this issue.
I am using req.logOut() and req.session.destroy(). When I do, the session seems to be destroyed, but when I refresh it still has the old request Authentication and user.

I am using req.isAuthenticated() and it is still getting back a "true" after refresh.

Any recommendations?

Yeah, just figured it out, some other post helped me out with this solution, and it worked for me in conjunction with the comment mentioned. Thanks @MichhDiego ;)

app.use(session({ ... resave: false, .... }));

@omidgolparvar can you explain how that helps you logout from the session for user?

@assadtony You referred to some other post helping you find the solution to this. Can you remember what that was? I'm having the same issue, it looks like the session is being destroyed but when I return to the login page the user is still authenticated.

I had the same problem too, but the following workaround solved it:
// Express Session app.use(session({ secret: 'secret', saveUninitialized: false, resave: false, cookie: { maxAge: 1000 } }));
Then on the logout route
router.get('/logout', function (req, res) { req.logOut(); // remove all session data req.session = null; res.redirect('/login'); });

Cheers.

I have the same problem. session null or destroy solutions seems a bit ham fisted. If you just want to log out and keep other session variables, this doesn't work. Why doesn't req.logout() simply work? Seems like a bug to me. If there is a reason why logout couldn't work, it at least should throw a warning. The underlying problems seems to be that the relevant session variables aren't actually cleared.

So I am having these issues using Express 4.15.4, passport 0.4.0, passport-oauth2 1.4.0, cookie-session 1.3.1. Symptoms are the same as described above.
I have:

app.get('/logout', (req, res) => {
  req.logout();
  res.redirect('/');
});

My / path is protected - if the user is not logged in, it will redirect to login. I added this line to my middleware router: console.log(req.path, ':', req.isAuthenticated()); In Chrome, I navigated to /, confirmed I was still logged in, then navigated to /logout. I ended up back at / logged in. But interestingly, this is how I got there:

/ : true
/logout : true
/ : false
/login : false
/login/callback : false
/ : true

So it looks like (at least in my case), it _is_ logging me out, but when forwarded to passport.authenticate('oauth2'), I'm automatically logged back in without prompt. Any thoughts? Is this symptom the same for everyone else here?

Just logged a similar issue on express

@kathleentully Try creating an express session and use it to destroy the current_user:
const expressSession = require('cookie-session');

// you can set the expiry date
let expiryDate = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000); // 7 days

const session = expressSession( { secret: 'very_secret', saveUninitialized: true, resave: false, cookie: { secureProxy: true, httpOnly: true, expires: expiryDate } });

app.use(session);

// Log out the user
app.get('/logout', (req, res) => { req.logout(); req.session.destroy(); res.redirect('/'); })

Hope this works :)

I am having trouble getting my system to log out with PassportJS. It seems the logout route is being called, but its not removing the session. I want it to return 401

This is still a problem it would seem... anyone have a solution yet?

Having the same problem here

@kievo23 Would you mind sharing a gist of the failing code?

I had same issue so i just looked over the source code of the passport library.
In passport/lib/sessionmanager.js , I found this code

SessionManager.prototype.logOut = function(req, cb) {
  if (req._passport && req._passport.session) {
    delete req._passport.session.user;
  } 
  cb && cb();
}

so i changed this code like this

SessionManager.prototype.logOut = function(req, cb) {
  if(req._passport){
    console.log(req._passport);
  }
   if (req._passport && req._passport.session) {
    delete req._passport.session.user;
  } else {
    delete req.session.passport;
  }
  cb && cb();
}

and below is what my console shows

{ instance: 
   Authenticator {
     _key: 'passport',
     _strategies: { session: [Object], local: [Object], facebook: [Object] },
     _serializers: [ [Function] ],
     _deserializers: [ [Function] ],
     _infoTransformers: [],
     _framework: 
      { initialize: [Function: initialize],
        authenticate: [Function: authenticate] },
     _userProperty: 'user',
     _sm: SessionManager { _key: 'passport', _serializeUser: [Function: bound ] },
     Authenticator: [Function: Authenticator],
     Passport: [Function: Authenticator],
     Strategy: { [Function: Strategy] Strategy: [Circular] },
     strategies: { SessionStrategy: [Object] } } }

I think it is because we have req._passport but req._passport.session.
Although My version of logOut is working, library seems to be updated.

Thanks boomkim https://github.com/boomkim

On Mon, Jan 8, 2018 at 12:56 PM, boomkim notifications@github.com wrote:

I had same issue so i just looked over the source code of the passport
library.
In passport/lib/sessionmanager.js , I found this code

SessionManager.prototype.logOut = function(req, cb) {
if (req._passport && req._passport.session) {
delete req._passport.session.user;
}
cb && cb();
}

so i changed this code like this

SessionManager.prototype.logOut = function(req, cb) {
if(req._passport){
console.log(req._passport);
}
if (req._passport && req._passport.session) {
delete req._passport.session.user;
} else {
delete req.session.passport;
}
cb && cb();
}

and below is what my console shows
{ instance:
Authenticator {
_key: 'passport',
_strategies: { session: [Object], local: [Object], facebook: [Object] },
_serializers: [ [Function] ],
_deserializers: [ [Function] ],
_infoTransformers: [],
_framework:
{ initialize: [Function: initialize],
authenticate: [Function: authenticate] },
_userProperty: 'user',
_sm: SessionManager { _key: 'passport', _serializeUser: [Function: bound ]
},
Authenticator: [Function: Authenticator],
Passport: [Function: Authenticator],
Strategy: { [Function: Strategy] Strategy: [Circular] },
strategies: { SessionStrategy: [Object] } } }

I think it is because we have req._passport but req._passport.session.
Although My version of logOut is working, library seems to be updated.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/jaredhanson/passport/issues/246#issuecomment-355911277,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AelRYnGuTu1O0-00wvOpuBkLi_cWl4Ebks5tIdhMgaJpZM4B7_eT
.

@boomkim can you please explain what you have done?

As far as I can tell from your code you are saying that if req._passport && req._passport.session doesn't exist then delete the session and yet I'm gettting...

SessionManager.prototype.logOut = function(req, cb) {
  if (req._passport && req._passport.session) {
    console.log(req.session.passport.user); //prints User ID
    delete req._passport.session.user;
    console.log(req.session.passport.user); //prints "undefined"
  } 
  cb && cb();
}

@elipeters As far as I know, for this version, since we don't have req._passport.session object, we cannot get into if clause to run 'delete req._passport.session.user;'

what I'm saying is this logout module is not perfect now so if you want to execute logout, you need to delete session by yourself.
you can execute session delete by changing code like this
if(req.session.passport){ delete req.session.passport; }

@kamauharrison it was actually a mistake in my route. its working well

req.logout(); req.session = null; Works for me

it actually worked on mine, the problem with mine was the order of my routes

On Wed, Jun 20, 2018 at 7:29 PM, Joshua McKenzie notifications@github.com
wrote:

No fix for this yet?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/jaredhanson/passport/issues/246#issuecomment-398813144,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AM8Cq_sLcsvHMPOP4YTDHM0dA1iw_8_Aks5t-nhbgaJpZM4B7_eT
.

--

Kelvin Chege
The Web Developer

Dear people, I think I have the same doubts here: https://github.com/expressjs/cookie-session/issues/104#issuecomment-416234872

_Reported from there:_

Reproduction: https://acoustic-red.glitch.me. And also you can use Glitch's button to "Remix" or view source code.

You can see the navbar menu in the top of the page:

image

You can click on "Login" > Login button (form already compiled) > et voilà, you can see the cookies:

test and test.sig:

image

After you can use "Logout" menu link to logout and you can see the cookies already there, but different:

image

What I'm asked in this issue is if it is correct this behaviour: am I wrong?

This is the code for logout:

app.get('/logout', async (req, res) => {
  await req.logout();
  req.session = null;
  res.clearCookie("test")
  res.clearCookie("test.sig")
  return res.redirect('/')
})

Anyone here using "remember-me" strategy by any chance?

Just like most cases discussed above, the session data of my web app kept on coming back alive like zombie no matter how many times I log out, despite I observed in the console that the session data was certainly being deleted with req.logout() or setting null to the req.session.

In my case remember-me was causing the issue when a user is logged in with the remember me option enabled. Solution in my case was to delete remember me token saved in database when the user logs out.

Hi everyone
Try to set cookie in your session with httpOnly: false, this way you can change or remove your connect.sid

app.use(
  session({
    ..., cookie: {
      path: '/',
      httpOnly: false,
      secure: false,
      maxAge: null,
    },
  })
)

app.get('/logout', function (req, res) {
  req.logout()
  res.send('Logout Success!!!')
})

It worked for me on localhost !! (on heroku not working)

I came across similiar issue. I forgot to put { withCredentials: true } on client when axios request is send, which caused unexpected sessions behavior. After that, logout is working right, but don't expect, that cookie will be deleted. Logout action just 'invalidate' the session in DB (user info will be empty)

The issue persists. Logout does seem to work but when I send a request back in it seems to deserialize the previous saved id in cookies.

7 years, and here I'm crying for the issue to be resolved! Please, help.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

itaditya picture itaditya  Â·  5Comments

Manubi picture Manubi  Â·  6Comments

Gibbo3771 picture Gibbo3771  Â·  4Comments

puradox picture puradox  Â·  4Comments

scan picture scan  Â·  7Comments