How to delete cookie-session?

Question

This is my code:

var express = require('express')
var sessionCookie = require('cookie-session')
var app = express();

app.use(sessionCookie({ keys: ['abc'], name: 'user' }));

app.get('/', function (req, res, next) {
  req.session.views = (req.session.views || 0) + 1;
  res.end(JSON.stringify(req.session));
  console.log('req.session', req.session);
});

app.get('/logout', (req, res) => {
  req.session = {};
  // req.session = null;
  console.log("req.session(logOut): ", req.session);
  res.redirect('/');
});

app.listen(3000);

Why is the session not deleted when I use req.session = {}, but when I use req.session = null the session is deleted.

score 1 · Answer 1 · answered Jun 19 '23 at 09:09

Take a look at the source code v2.0.0/index.js#L124

The req.session has a setter/getter function, see:

// define req.session getter / setter
Object.defineProperty(req, 'session', {
  configurable: true,
  enumerable: true,
  get: getSession,
  set: setSession
})

When you set the req.session to null the sess variable will be set to false. If you set an empty object {} to req.session, as you can see, it will create a new session.

function setSession (val) {
  if (val == null) {
    // unset session
    sess = false
    return val
  }

  if (typeof val === 'object') {
    // create a new session
    sess = Session.create(val)
    return sess
  }

  throw new Error('req.session can only be set as null or an object.')
}

At the end, cookie-session will use the on-headers package to set the cookie, if the sess is false, the cookie will be set to ''.

onHeaders(res, function setHeaders () {
  if (sess === undefined) {
    // not accessed
    return
  }

  try {
    if (sess === false) {
      // remove
      debug('remove %s', name)
      cookies.set(name, '', req.sessionOptions) // <- here
    } else if ((!sess.isNew || sess.isPopulated) && sess.isChanged) {
      // save populated or non-new changed session
      debug('save %s', name)
      cookies.set(name, Session.serialize(sess), req.sessionOptions)
    }
  } catch (e) {
    debug('error saving session %s', e.message)
  }
})

How to delete cookie-session?

1 Answers1