I'm trying to set up cookie authentication in my Angular/Express app.
I'm using cookie-session to configure the cookie :
app.use(
cookieSession({
name: "marketplace-session",
secret: RSA_PRIVATE_KEY,
httpOnly: true,
secure: true,
sameSite: 'lax'
})
);
Then in my login route I generate a token and put it in the cookie :
const token = jwt.sign({userId: user._id}, RSA_PRIVATE_KEY, {
expiresIn: '24h'
});
req.session.token = token;
And in my logout route I destroy the cookie session :
req.session = null;
Client-side, I used an interceptor to add "withCredentials: true" to every request sent to the server :
intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
req = req.clone({
withCredentials: true
});
return next.handle(req);
}
The problem is that after logout, the cookie is still stored by the browser and sent in every request, which means that the user can still access restricted routes after logout. I'm not sure if I should also remove the cookie client-side, as it's my understanding that the cookie should only be treated in the backend.
