Why we use cookies ? -> HTTP is stateless protocol, in order identify request come from same user we use cookie to identify user.
Cookies are used when a server wants to track a particular user or piece of data from a particular browser. The situation where a user logs into a service creates a need to know from one request to the next who the request is coming from, whether it's been authenticated as a given user, etc... A cookie is used to provide that information on future requests coming from a given user. Cookies can be used to either hold specific information that is desired or can be used to hold some sort of identifier that can then be used by the server to find the desired information for that request/user.
The code works perfect, but event after clearing the session, cookie is still present in browser. still server is able to say you are not valid user.
A session works by coming two pieces of information. Some sort of encrypted ID from a cookie is looked up on the server to find the matching session object. The session object can then contain information relevant to that particular user. One can kill the effectiveness of a session by either removing the cookie or by removing the session. In either case, there will be no encrypted ID coming from the browser with the next request that can be matched with the session object.
It is a bit more secure to remove the session object because even you only remove the cookie, but the cookie has been "stolen" by some intermediary, then that intermediary can still present the cookie they have stolen, even if the cookie was removed from the target browser. Obviously, if you remove the session on the server, even a stolen cookie won't be of any use. It's also useful to free session memory or storage used by a session object that is no longer needed, though in most implementations, they will "time out" at some future time and be cleaned up that way.
In passport.js req.logout(); do the same thing clear the sesssion but still cookie present in browser.
Per the Passport documentation, req.logout()
removes the req.user
property from the current request object and clears the login session. The doc doesn't say anything about modifying or removing the login cookie and one would logically think a method that cleared the cookie would be on the res
object, not the req
object.