I feel like this has to be buried somewhere in the documentation, but I can't find it.
How do you close or end or kill (whatever) a session in ExpressJS?
Asked
Active
Viewed 1.7e+01k times
10 Answers
148
Express 4.x Updated Answer
Session handling is no longer built into Express. This answer refers to the standard session module: https://github.com/expressjs/session
To clear the session data, simply use:
req.session.destroy();
The documentation is a bit useless on this. It says:
Destroys the session, removing req.session, will be re-generated next request.
req.session.destroy(function(err) { // cannot access session here })
This does not mean that the current session will be re-loaded on the next request. It means that a clean empty session will be created in your session store on next request. (Presumably the session ID isn't changing, but I have not tested that.)
Brad
- 159,648
- 54
- 349
- 530
-
is there a way to destroy session from sessions and not of the immediate request. For example if i were to implement log me out of all devices functionality i'd need that – Muhammad Umer Jun 27 '15 at 23:02
-
1@MuhammadUmer As far as I know, there is no built-in mechanism for destroying an arbitrary session. You could implement this yourself easily by deleting the keys associated with the session from storage, or by creating your own session wrapper. – Brad Jun 27 '15 at 23:20
100
Never mind, it's req.session.destroy();
Afshin Mehrabani
- 33,262
- 29
- 136
- 201
Stephen
- 7,994
- 9
- 44
- 73
-
8This isn't working for me on express 3.. I'm trying to call ´req.session.destroy()´ – acidghost Oct 01 '12 at 23:48
-
6Working fine for me on ExpressJS 3.00. Used `req.session.destroy();` as acidghost did. – hexacyanide Nov 11 '12 at 16:06
-
1
-
1
28
The question didn't clarify what type of session store was being used. Both answers seem to be correct.
For cookie based sessions:
From http://expressjs.com/api.html#cookieSession
req.session = null // Deletes the cookie.
For Redis, etc based sessions:
req.session.destroy // Deletes the session in the database.
Blueshirts
- 309
- 4
- 6
-
1req.session.destroy essentially is a wrapper for "delete req.session", see the source-code here: https://github.com/expressjs/session/blob/master/session/session.js – tim-montague Dec 31 '14 at 09:15
10
Session.destroy(callback)
Destroys the session and will unset the req.session property. Once complete, the callback will be invoked.
↓ Secure way ↓ ✅
req.session.destroy((err) => {
res.redirect('/') // will always fire after session is destroyed
})
↓ Unsecure way ↓ ❌
req.logout();
res.redirect('/') // can be called before logout is done
Hasan Sefa Ozalp
- 6,353
- 5
- 34
- 45
-
What do if I have flash, because it is causing an error(which is obvious). | UnhandledPromiseRejectionWarning: Error: req.flash() requires sessions – Rajan Jan 28 '21 at 15:45
-
In that case I think you could use `req.user = { }`. `password.js` uses `req.user` as far as I remember to keep track of the logged in user. – Hasan Sefa Ozalp Jan 29 '21 at 06:17
9
use,
delete req.session.yoursessionname;
Nithin
- 383
- 3
- 9
-
-
5For all those down-voting @Nithin; the session.destroy() function-method as documented on github (github.com/expressjs/session/blob/master/session/session.js) uses "delete this.req.session" - it's not exactly @Nithin's answer, but using "delete" is a correct solution as well (and not covered in other answers). – tim-montague Dec 31 '14 at 09:10
-
Is this one is the proper solution? No memory leakage, anything mischievous things won't happen right? – Rajath Apr 29 '19 at 06:19
9
From http://expressjs.com/api.html#cookieSession
To clear a cookie simply assign the session to null before responding:
req.session = null
stream7
- 1,728
- 1
- 14
- 21
6
To end a server-side session
https://github.com/expressjs/session#sessiondestroycallback
req.session.destroy(function(err) {
// cannot access session here
})
Note, this is essentially a wrapper around delete req.session as seen in the source code:
https://github.com/expressjs/session/blob/master/session/session.js
defineMethod(Session.prototype, 'destroy', function destroy(fn) {
delete this.req.session;
this.req.sessionStore.destroy(this.id, fn);
return this;
});
To end a cookie-session
https://github.com/expressjs/cookie-session#destroying-a-session
req.session = null;
tim-montague
- 16,217
- 5
- 62
- 51
2
req.session.destroy();
The above did not work for me so I did this.
req.session.cookie.expires = new Date().getTime();
By setting the expiration of the cookie to the current time, the session expired on its own.
John Quasar
- 186
- 2
- 14
-
It also works for me, but the expression should be without `.getTime()`: just `req.session.cookie.expires = new Date();` – Ildar Sep 30 '22 at 09:06
2
You can retrieve the id of a session using req.session.id or req.sessionID and then pass it to req.sessionStore.destroy method like so:
const sessionID = req.session.id;
req.sessionStore.destroy(sessionID, (err) => {
// callback function. If an error occurs, it will be accessible here.
if(err){
return console.error(err)
}
console.log("The session has been destroyed!")
})
cani
- 1,650
- 1
- 6
- 5
-
I tried this but still the session is not deleted from MongoDB's session table. – usman imtiaz Sep 10 '22 at 15:41
-7
As mentioned in several places, I'm also not able to get the req.session.destroy() function to work correctly.
This is my work around .. seems to do the trick, and still allows req.flash to be used
req.session = {};
If you delete or set req.session = null; , seems then you can't use req.flash
Gene Bo
- 11,284
- 8
- 90
- 137