`SESSION.DESTROY()` DOES NOT DELETE SESSION. about session HOT 7 CLOSED

Hey @shrihari-prakash I have a couple ideas on what might be happening...

I've called destroy, I've deleted the Redis entry manually, I deleted req.session. But when the client sends a request to an API that requires authentication, req.session is still present.

After logout, is req.session an empty Object, or does req.session get populated with data for the given cookie?
this module creates the req.session Object for you, and it's initial state is an empty Object

Can you log the sessionId and see if it's changing between requests?

Can you open a redis shell and check the following:

1. The key exists with the name you are expecting before the logout request
2. The key does not exist after the logout request finishes
   sounds like you might have already done this, just double checking

I'm not sure what your desired behaviour is, but as a simple fix can you try using the unset: 'destroy' option and set the session to null when someone logs out?

from session.

However, one thing that might factor in is that the calling domain of login and logout are different (still under same main domain). But I am not sure if it matters as the domain that is called for logout is still the same so cookies need to be sent. But I see that in the logout request, there is no cookies though I can manually check cookies in the browser. Hence looks like express-session might be creating a new session on logout API.

This sounds like the root of the problem. The express-session package can't logout a session if it doesn't receive the cookie.

I was not using credentials mode include in the logout request🙂

Thanks for trying to resolve this @joewagner !

from session.

Hello, and sorry for the trouble. You will need to open this issue with the module you are using for your store, as calling req.session.destroy just calls the destroy on your store module. This module does not have any persistence in itself, just calls to the underlying store to destroy or get a given session.

If you believe that the issue is not with your store module, we can reopen it, but ideally you can provide a complete app with replication steps, as well as use our memorystore in the demo so we can rule out the store module.

from session.

I'm pretty sure it has nothing to do with the store as I see that del function of my redis is called. However, I'm finding that req.session.id is not the same in the time of session creation and destroy.

from session.

Hmm, I'm not sure what is happening. You can find what this module does for destroy which us that it simply calls the destroy on the store:

If you believe that the issue is not with your store module, we can reopen it, but ideally you can provide a complete app with replication steps, as well as use our memorystore in the demo so we can rule out the store module.

from session.

On my side unfortunately, I do not have a minimal reproducible sample since it looks like the sessions are working fine on my local. The problem seems to be appearing only on server with Nginx as reverse proxy (or it appears also without a proxy not sure). But I have trust proxy enabled, secure cookies enabled with X-Forwarded-Proto header.

However, one thing that might factor in is that the calling domain of login and logout are different (still under same main domain). But I am not sure if it matters as the domain that is called for logout is still the same so cookies need to be sent. But I see that in the logout request, there is no cookies though I can manually check cookies in the browser. Hence looks like express-session might be creating a new session on logout API.

from session.

However, one thing that might factor in is that the calling domain of login and logout are different (still under same main domain). But I am not sure if it matters as the domain that is called for logout is still the same so cookies need to be sent. But I see that in the logout request, there is no cookies though I can manually check cookies in the browser. Hence looks like express-session might be creating a new session on logout API.

This sounds like the root of the problem. The express-session package can't logout a session if it doesn't receive the cookie.

from session.