0

I'm using stormpath-express along with express-session in my express application. The login part works fine. However, when I log out, the previous session property still there in the session. I can see the session property connect.sid remain the same

I invoked /logout like so <button class="btn btn-default btn-default navbar-btn" onclick="$.post('/logout', function(data) {location.href='/'})"> It's a ajax POST call to /logout.

Per stormpath documentation, the session will be destroyed. However, when I login with a different user, the previous session cookies are still there.

var session = require('express-session');    
app.use(session({
      genid: function(req) {
        return uuid.v1();
      },
      secret: 'xxxxx',
      resave: false,
      saveUninitialized: false
    }));

After logout, the previous session property is still there

var sess = req.session;
        if(sess.phoneNumbers) {
            console.log('reuse phoneNumbers from session'); // why it still here???
        } else {
timpham
  • 556
  • 2
  • 7
  • 25

1 Answers1

0

Express-Stormpath will only delete the cookies that it manages, it will not delete your own cookie as we don't want to interfere with any custom use-cases that the other session cookies may be used for.

If you would like delete your cookies as the same time as ours, you can implement a route handler that runs before ours. Simply place this code above the call to stormpath.init():

   app.post('/logout', function (req, res, next) {
     // delete the cookies that you need to delete
     next();  // our logout handler will get called next
   });

We are planning to add a Post-Logout Handler that will allow you to do the same thing.

I hope this answer helps! P.S. I work at Stormpath and I maintain these libraries :)

robertjd
  • 4,723
  • 1
  • 25
  • 29