-1

I am using express-session node module, trying to understand session in node js.

Why we use cookies ? -> HTTP is stateless protocol, in order identify request come from same user we use cookie to identify user.

By using express-session we can set cookie configuration(maxAge, secretKey, etc)

Now if we want to clear the sesssion we use 

req.session.destroy((err) => {
    if(err) {
        return console.log(err);
    }
    res.redirect('/');
 });

The code works perfect, but event after clearing the session, cookie is still present in browser. still server is able to say you are not valid user.

In passport.js req.logout(); do the same thing clear the sesssion but still cookie present in browser.

How does this work ?

Nikhil Patil
  • 180
  • 13
  • *What do you mean by ...* .. who are you asking this of? also your question seems to be citing from a tutorial or site in parts of your question. if so, please indicate that. using citation styling or quotes around that text. – Brett Caswell Nov 08 '19 at 02:00
  • ok sir, will do it – Nikhil Patil Nov 08 '19 at 02:01
  • 1
    *after clearing the session, cookie is still present in browser.* ... the presence of the cookie isn't really what matters.. what matters is the value and whether that value correlates to session state on the server. If you requested this site with no cookie, a session cookie is going to be created with a value that correlates to an anonymous user. – Brett Caswell Nov 08 '19 at 02:02
  • thank you very much sir, I got my answer. – Nikhil Patil Nov 08 '19 at 02:05

1 Answers1

1

Why we use cookies ? -> HTTP is stateless protocol, in order identify request come from same user we use cookie to identify user.

Cookies are used when a server wants to track a particular user or piece of data from a particular browser. The situation where a user logs into a service creates a need to know from one request to the next who the request is coming from, whether it's been authenticated as a given user, etc... A cookie is used to provide that information on future requests coming from a given user. Cookies can be used to either hold specific information that is desired or can be used to hold some sort of identifier that can then be used by the server to find the desired information for that request/user.

The code works perfect, but event after clearing the session, cookie is still present in browser. still server is able to say you are not valid user.

A session works by coming two pieces of information. Some sort of encrypted ID from a cookie is looked up on the server to find the matching session object. The session object can then contain information relevant to that particular user. One can kill the effectiveness of a session by either removing the cookie or by removing the session. In either case, there will be no encrypted ID coming from the browser with the next request that can be matched with the session object.

It is a bit more secure to remove the session object because even you only remove the cookie, but the cookie has been "stolen" by some intermediary, then that intermediary can still present the cookie they have stolen, even if the cookie was removed from the target browser. Obviously, if you remove the session on the server, even a stolen cookie won't be of any use. It's also useful to free session memory or storage used by a session object that is no longer needed, though in most implementations, they will "time out" at some future time and be cleaned up that way.

In passport.js req.logout(); do the same thing clear the sesssion but still cookie present in browser.

Per the Passport documentation, req.logout() removes the req.user property from the current request object and clears the login session. The doc doesn't say anything about modifying or removing the login cookie and one would logically think a method that cleared the cookie would be on the res object, not the req object.

jfriend00
  • 580,699
  • 78
  • 809
  • 825