5

I use the passport-google-oauth module to authenticate users on a web application I built using Express.js. The logout event is handled this way:

app.get('/logout', function(req, res) {
    console.log("logged out!");
    req.logout();
    res.redirect('/');
});

While this does redirect the user to the login page (at /), I'm not sure it really logs him out. After clicking on logout, when I open Gmail in a new tab, I remain logged in there (and no, I hadn't logged into Gmail earlier). How can I fix this? Also, what does req.logout() do to log the user out?

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
raul
  • 1,209
  • 7
  • 20
  • 36

2 Answers2

9

This is perfectly normal. When a user logs in to your application with his Google Account, he also logs in to all Google Services.

req.logout() only destroys the session that was created by Passport when the user logged in. That session was only linked to your application, not to the entire user's Google Profile.

If you want to log out the user from his Google Account as well, you'll have to redirect him to https://accounts.google.com/logout via a click on a button or something like that.

But this is very a debated policy, because, if you were already logged in to gmail, YouTube etc..., you would be logged out from all Google services at the same time. Pretty annoying.

For more information, check out this great answer by jmort253.

Community
  • 1
  • 1
Waldo Jeffers
  • 2,289
  • 1
  • 15
  • 19
2

That is because the session for google not expired for this u can use this one at google end.

// route for logging out
app.get('/logout', function(req, res) {
    req.session.destroy(function(e){
        req.logout();
        res.redirect('/');
    });
});

it will destroy your session from app. but if you want complete logout even from google account you can redirect to

https://mail.google.com/mail/u/0/?logout&hl=en

address

Gurjit Singh
  • 29
  • 1