Comments (7)
Hey @shrihari-prakash I have a couple ideas on what might be happening...
I've called destroy, I've deleted the Redis entry manually, I deleted
req.session
. But when the client sends a request to an API that requires authentication,req.session
is still present.
After logout, is req.session
an empty Object, or does req.session
get populated with data for the given cookie?
this module creates the req.session
Object for you, and it's initial state is an empty Object
Can you log the sessionId and see if it's changing between requests?
Can you open a redis shell and check the following:
- The key exists with the name you are expecting before the logout request
- The key does not exist after the logout request finishes
sounds like you might have already done this, just double checking
I'm not sure what your desired behaviour is, but as a simple fix can you try using the unset: 'destroy'
option and set the session to null
when someone logs out?
from session.
However, one thing that might factor in is that the calling domain of login and logout are different (still under same main domain). But I am not sure if it matters as the domain that is called for logout is still the same so cookies need to be sent. But I see that in the logout request, there is no cookies though I can manually check cookies in the browser. Hence looks like express-session might be creating a new session on logout API.
This sounds like the root of the problem. The
express-session
package can't logout a session if it doesn't receive the cookie.
I was not using credentials mode include in the logout request๐
Thanks for trying to resolve this @joewagner !
from session.
Hello, and sorry for the trouble. You will need to open this issue with the module you are using for your store, as calling req.session.destroy
just calls the destroy
on your store module. This module does not have any persistence in itself, just calls to the underlying store to destroy or get a given session.
If you believe that the issue is not with your store module, we can reopen it, but ideally you can provide a complete app with replication steps, as well as use our memorystore in the demo so we can rule out the store module.
from session.
I'm pretty sure it has nothing to do with the store as I see that del function of my redis is called. However, I'm finding that req.session.id is not the same in the time of session creation and destroy.
from session.
Hmm, I'm not sure what is happening. You can find what this module does for destroy which us that it simply calls the destroy on the store:
Lines 109 to 113 in 1010fad
If you believe that the issue is not with your store module, we can reopen it, but ideally you can provide a complete app with replication steps, as well as use our memorystore in the demo so we can rule out the store module.
from session.
On my side unfortunately, I do not have a minimal reproducible sample since it looks like the sessions are working fine on my local. The problem seems to be appearing only on server with Nginx as reverse proxy (or it appears also without a proxy not sure). But I have trust proxy enabled, secure cookies enabled with X-Forwarded-Proto header.
However, one thing that might factor in is that the calling domain of login and logout are different (still under same main domain). But I am not sure if it matters as the domain that is called for logout is still the same so cookies need to be sent. But I see that in the logout request, there is no cookies though I can manually check cookies in the browser. Hence looks like express-session might be creating a new session on logout API.
from session.
However, one thing that might factor in is that the calling domain of login and logout are different (still under same main domain). But I am not sure if it matters as the domain that is called for logout is still the same so cookies need to be sent. But I see that in the logout request, there is no cookies though I can manually check cookies in the browser. Hence looks like express-session might be creating a new session on logout API.
This sounds like the root of the problem. The express-session
package can't logout a session if it doesn't receive the cookie.
from session.
Related Issues (20)
- When Run frontend and backend in diff domain it not working HOT 2
- Undefined session object with apollo v4 express and express-session HOT 1
- Regenerated session is re-saved even if not modified since save HOT 1
- Allow for sessions to be shared between subdomains. HOT 1
- Invalid argument type express-session "1.17.3" and redis "4.6.7", HOT 1
- Request session destroy does not always resolve before returning HOT 1
- TypeError: Cannot read properties of undefined (reading 'reload') HOT 4
- [FEATURE REQUEST] Session Async Methods
- A `destroy`ed session is still `touch`ed HOT 1
- cookie options won't get set HOT 13
- [Feature Request] Support of phasing out third-party cookies HOT 16
- req.sessionStore.all with typescript bug? HOT 7
- Don't `Set-Cookie` for static/public files? HOT 2
- Issue HOT 1
- Can't set partitioned cookie even though I updated all of the package HOT 6
- 'sha1' hash algorithm used at index.js is unsafe HOT 3
- Any good ways to refresh database data with a session? HOT 4
- Get session object from `req.session` outside of request context HOT 3
- express session is failing because session is undefined HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from session.