-
Notifications
You must be signed in to change notification settings - Fork 204
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Correct logOut using Passport. ClearCookie doesn't delete cookies. #104
Comments
The only difference is that req.logout is no longer there. I have no idea what that code does, so not sure why removing it would affect the cookie. |
I think But also if I just use Why? |
I'm not sure. I can investigate the issue, though. Please provide all the following so I can reproduce the issue:
Thanks! |
Same here. The steps here didn't help:
Using
|
I can investigate but need to be able to reproduce the issue. Please provide the three pieces from #104 (comment) so I can take a look :) |
this is the workaround i found as of now do not call // config.js
module.exports = {
baseCookieOptions: {
name: 'app.session',
httpOnly: true,
signed: true,
secret: 'secret'
}
}
// init-cookie.js
module.exports = (app) => {
app.use(cookieParser())
app.use(
cookieSession({
...baseCookieOptions,
secure: isProd,
maxAge: 30 * 24 * 60 * 60 * 1000 // 30 days
})
)
}
// auth-route.js
router.get('logout', (req, res, next) => {
// manually set cookie headers, cause `req.logout` does not work
// req.logout()
req.secret = baseCookieOptions.secret
res.clearCookie('app.session', baseCookieOptions)
res.clearCookie('app.session.sig', baseCookieOptions)
res.json({
status: 'ok'
})
}) Version of Node.js, this module, and all other involved modules:
|
I'm just going to close this for now since it's been three posts yet it doesn't seem like anyone is interested in actually providing the info I need to investigate. You're welcome to make a pull request with a fix though, if you cannot provide code I can investigate 👍 |
@dougwilson sorry for the delay. What you asked:
You can click on "Login" > Login button (form already compiled) > et voilà, you can see the cookies:
After you can use "Logout" menu link to logout and you can see the cookies already there, but different: What I'm asked in this issue is if it is correct this behaviour: am I wrong? This is the code for logout: app.get('/logout', async (req, res) => {
await req.logout();
req.session = null;
res.clearCookie("test")
res.clearCookie("test.sig")
return res.redirect('/')
}) |
You cannot use both app.get('/logout', async (req, res) => {
await req.logout();
res.clearCookie("test", {path:"/",httpOnly:true})
res.clearCookie("test.sig", {path:"/",httpOnly:true})
return res.redirect('/')
}) |
I updated the code on https://acoustic-red.glitch.me. As you can see it doesn't work. Actual code: app.get('/logout', async (req, res) => {
await req.logout();
//req.session = null;
res.clearCookie("test")
res.clearCookie("test.sig")
return res.redirect('/')
}) |
Use the code I posted above. |
@dougwilson thanks. The difference is just this: Why If I use this instead it works deleting all cookies? app.get('/logout', async (req, res) => {
res.clearCookie("test")
res.clearCookie("test.sig")
return res.redirect('/')
}) |
@dougwilson I tried, as you can see. It doesn't work also with your code: app.get('/logout', async (req, res) => {
await req.logout();
res.clearCookie("test", {path:"/",httpOnly:true})
res.clearCookie("test.sig", {path:"/",httpOnly:true})
return res.redirect('/')
}) Cookies after "Logout" are still there. |
I just tried https://acoustic-red.glitch.me/ in Google Chrome and it worked just fine. Both |
@dougwilson I'm sorry because it seems I'm crazy. My Chrome still doesn't work. And also another PC. After "Login" (redirect on "private" page): After "Logout" (redirect on Home Page): So the cookies are still there but are different! Now if you click again on "Logout" the cookies are gone! |
I still cannot replicate on the site you provided. I tried a different machine with the same result I posted above. |
@tsm91, can you try what I say here: #104 (comment) @dougwilson I tried another PC (NOT A MY PC!) right now and is the same (Chrome and Firefox). How is it possible?! |
Perhaps we are not doing exactly the same clicks / interactions on the site and that is causing the difference. Can you write down, click by click, exactly what you do on the site? Also, let's start a new Incognito session as well to make sure we have the same state too. |
@dougwilson OK. Incognito mode always.
|
@federomero i checked the demo page and followed the steps. Note: after i logout the first time and the cookie contents are changed, i am no longer able to visit the private page. Which is a good. |
@tsm91 yes, it's good but the cookies are still there. |
@dougwilson, any hint on this? I'm not the only one. |
I'm not sure. I haven't retried yet. And the module source is open and free for modification. Don't let me hold you up, you're always welcome to fix the issue in the source and can make a pull request to contribute it back. |
In this (#100) thread @aliencorp suggests:
Does this make sense? |
I would really like to be able to create PR that solve the problem. If I had known how to do it I would have already done it. |
Then just wait until I have some time to take another look. |
@dougwilson perfect! (Perhaps reopening the issue could help you remember the todo.) |
I haven't forgotten. I don't look through evey repo every day to determine what I need to do. I have a todo list. I can reopen this if it will make you happy but won't make any difference for when I can get to it. |
So I'm taking a look and it seems to be some kind of conflict between passport and this module. I'm not very familiar with passport, but I'm trying to dig in. Is there a way to attach a live debugger to get a break point in the server on that glitch.com website? |
Basically during the logout route, something is doing The |
The "remix" I made here: https://pale-bathtub.glitch.me/ seems to behave as you're expecting. |
@dougwilson your remix is just:
I think Isn't it? Is secure to just use Thanks for your effort on these problems. |
correct, that was the only change in my remix.
The issue I'm seeing is that
I'm not very familiar with passport. Maybe can you explain exact what But what I found is that the cookie is getting set on your logout because of the following: (1) req.logout alters the So it seems like you have one of two options: (a) don't touch the OR (b) call I hope that helps 👍 |
This is an example remix that will do the |
@dougwilson I love you. Thanks a lot for your commitment! I found this about Specifically:
So with just await req.logout()
req.session = null
req.sessionOptions.maxAge = 0
return res.redirect('/') It works very well. Am I wrong in something? |
So if all req.logout does is clear the res.session.user (which is why the module is trying to set the cookie as this is a modification to req.session), then that is pointless as that object is stored only in the cookie. This means that just clearing the cookie already does that and the req.logout is redundant. |
It refers to |
Ah. I have no idea. Where does req.user come from? |
I think from Passport. But I think it's okay to have both |
I'm using
PassportJS
and this code for logout:It just changes the cookies but don't delete them. Why?
It does delete them if I use just this code:
Where am I wrong?
The text was updated successfully, but these errors were encountered: