node express, how to clear cookie after log out

Question

Basically i'm doing redirect from a.example.com to www.example.com and i expect to be able to delete cookies on www.example.com (because cookie is created with .example.com as the cookie domain), but following code doesn't work.

I know that this question seems like duplicate question, i tried everything from similar question but it doesn't work. See after the code what i already tried.

Using express 3.0.3 and node 0.10.32.

express session middleware

...
var cookiedata = { 
    domain              : '.example.com',
    originalMaxAge      : null,
    httpOnly            : false
};

app.use(express.session({
        store  : ..., 
        secret : ..., 
        key    : 'express.sid', 
        cookie : cookiedata 
}));
...

logout function

function logout(req, res){
    ...

    req.session.destroy(function(){
        req.session = null;

        res.clearCookie('express.sid', { path: '/' });
        res.redirect('https://www.example.com');

    });
}

What i already tried from similar question

https://github.com/strongloop/express/issues/691

So i put path : '/' in express session middleware such as:

app.use(express.session({ ..., path : '/' });

No success.

https://groups.google.com/forum/#!topic/express-js/PmgGMNOzhgM
Instead res.clearCookie i used: res.cookie('express.sid', '', {expires: new Date(1), path: '/' });

No success.

Did you find a solution to this? No accepted answer here. – Samuel Méndez Jul 07 '17 at 09:24 — Samuel Méndez, Jul 07 '17 at 09:24

score 11 · Answer 1 · answered Dec 08 '15 at 08:18

11

This is response.clearCookie of Express.JS (file response.js at line 749).

var opts = merge({ expires: new Date(1), path: '/' }, options);
return this.cookie(name, '', opts);

If you set a breakpoint at this line you will see expires is reported at an invalid date. So instead of using response.clearCookie, just make it expire immediately like this one.

response.cookie("express.sid", "", { expires: new Date() });

answered Dec 08 '15 at 08:18

Tien Do

7,976
5
35
41

1

but it is not remove cookie completely from browser – usman imtiaz Jul 14 '20 at 16:06
not only is it not removing it, it's not even updating it – Jason G Feb 24 '21 at 18:04

score 4 · Answer 2 · answered Dec 14 '16 at 15:36

This is working for me with cookie-parser module:

router.get('/logout', function(req, res){
    cookie = req.cookies;
    for (var prop in cookie) {
        if (!cookie.hasOwnProperty(prop)) {
            continue;
        }    
        res.cookie(prop, '', {expires: new Date(0)});
    }
    res.redirect('/');
});

score 1 · Answer 3 · answered Jan 25 '21 at 10:58

1

What worked for me was adding path and domain in res.clearCookie

res.clearCookie(<cookie-name>, {path: '/', domain: <domain-on-which-cookie-is-set>}

Also, make sure to include credentials on the frontend, otherwise no cookie will be sent with the request. If no cookie goes to the server, it has nothing to clear!

fetch('url.com', {credentials: "include"}

answered Jan 25 '21 at 10:58

swarajpure

21
1

For the life of me I couldn't get this to work with POST or PUT but only with GET – Jason G Feb 24 '21 at 18:22

node express, how to clear cookie after log out

3 Answers3