All geek questions in one place

Expressjs does not destroy the session

I have a Backbone View that sends an Ajax call to a server to delete a session.

The following event is fired on the server:

app.delete('/session', function(req, res) { if (req.session) { req.session.destroy(function() { res.clearCookie('connect.sid', { path: '/' }); res.send('removed session', 200); }); } else { res.send('no session assigned', 500); } });

It is strange that I can press the logout button several times without receiving an HTTP 500 error code. Also chrome shows me that the cookie still exists.

What is going wrong?

Hi

EDIT

I found out that this is not a session problem, but a cookie. I added res.clearCookie to the route. Unfortunately, the behavior (cookie, session keep alive) has not changed

EDIT2 : I now gave res.clearCookie some parameters => res.clearCookie ('connect.sid', {path: '/'}); Now at least the cookie has disappeared in the browser. But the session seems to be still available. Or at least I can call the logout route, how often do I want even req.session to be false

EDIT3: Now I deleted all sessions from redis and restarted everything (redis, node, browser). Than I logged in again and logged out. This still works, but when I reset the page with F5, I get a new session. Why?

+5
source share
1 answer

To focus all the comments together, I wrote an answer:

Since express always creates a session and cookie for the client, we should use a different approach than just checking if there is a session.

These parts process logins

 app.post('/session', function(req, res) { User.findOne({ username: req.body.username }) .select('salt') // my mongoose schema doesn't fetches salt .select('password') // and password by default .exec(function(err, user) { if (err || user === null) throw err; // awful error handling here // mongoose schema methods which checks if the sent credentials // are equal to the hashed password (allows callback) user.hasEqualPassword(req.body.password, function(hasEqualPassword) { if (hasEqualPassword) { // if the password matches we do this: req.session.authenticated = true; // flag the session, all logged-in check now check if authenticated is true (this is required for the secured-area-check-middleware) req.session.user = user; // this is optionally. I have done this because I want to have the user credentials available // another benefit of storing the user instance in the session is // that we can gain from the speed of redis. If the user logs out we would have to save the user instance in the session (didn't tried this) res.send(200); // sent the client that everything gone ok } else { res.send("wrong password", 500); // tells the client that the password was wrong (on production sys you want to hide what gone wronge) } }); }); });

This part of the login allows you to go to the exit:

 app.delete('/session', function(req, res) { // here is our security check // if you use a isAuthenticated-middleware you could make this shorter if (req.session.authenticated) { // this destroys the current session (not really necessary because you get a new one req.session.destroy(function() { // if you don't want destroy the whole session, because you anyway get a new one you also could just change the flags and remove the private informations // req.session.user.save(callback(err, user)) // didn't checked this //delete req.session.user; // remove credentials //req.session.authenticated = false; // set flag //res.clearCookie('connect.sid', { path: '/' }); // see comments above res.send('removed session', 200); // tell the client everything went well }); } else { res.send('cant remove public session', 500); // public sessions don't containt sensible information so we leave them } });

Hope this helps

+5
source

Source: https://habr.com/ru/post/1013618/

More articles:


All Articles