From the docs:

Passport exposes a logout() function on req (also aliased as logOut()) that can be called from any route handler which needs to terminate a login session. Invoking logout() will remove the req.user property and clear the login session (if any).

app.get('/logout', function(req, res){   req.logout();  
res.redirect('/'); });

From reading this and testing myself, it doesn't seem that logout removes the cookie from the client. From what I understand, when the client makes a request, it sends along it's cookie, which Passport deserializes and transforms into req.user.

Assuming that logout doesn't remove the cookie and that Passport uses the cookie to determine whether or not the user is logged in, how does the logout function actually log the user out?

From the docs:

Passport exposes a logout() function on req (also aliased as logOut()) that can be called from any route handler which needs to terminate a login session. Invoking logout() will remove the req.user property and clear the login session (if any).

app.get('/logout', function(req, res){   req.logout();  
res.redirect('/'); });

From reading this and testing myself, it doesn't seem that logout removes the cookie from the client. From what I understand, when the client makes a request, it sends along it's cookie, which Passport deserializes and transforms into req.user.

Assuming that logout doesn't remove the cookie and that Passport uses the cookie to determine whether or not the user is logged in, how does the logout function actually log the user out?

• javascript
• node.js
• authentication
• passport.js
• passport-local

• Just because it didn't remove the cookie doesn't mean it didn't invalidate the session - have you tested to see whether the user still has access? – brandonscript Commented Jul 26, 2015 at 21:30
• I guess I'm confused as to what it means to invalidate a session. Isn't it the case that when a request comes in with the cookie, it populates req.user? – Adam Zerner Commented Jul 26, 2015 at 21:32
• I honestly don't know enough about Passport's implementation. But it might set the cookie to a different value or mark it as invalid somehow. Or it invalidates the token with the auth provider. – brandonscript Commented Jul 26, 2015 at 21:36

5 Answers 5

I'm coming across this question about four years later, and fortunately, I think I understand it now.

Passport's logout function does not clear the session ID cookie for you. However, that isn't actually a problem. I'll explain why.

When you are logged in, here is how things work. When you send a request to the server, the session ID cookie is sent along with the request. Then the server takes that session ID, looks up the corresponding user with an active session, and populates req.user for you.

With that said, think about what happens if you log out, but don't clear that session ID cookie. Next time a request is sent, the cookie will still be sent along, because it wasn't cleared. But then what happens? It'll try to look up the corresponding user with an active session... but it won't find anything! So req.user won't end up being populated. That's why it isn't a big deal whether or not that cookie gets deleted.

Here's the complete solution that will delete the entire session from the server and clear the cookie on the client side

module.exports.getLogout = function (req, res, next) {
    req.logout();
    req.session.destroy(function (err) {
        if (!err) {
            res.status(200).clearCookie('connect.sid', {path: '/'}).json({status: "Success"});
        } else {
            // handle error case...
        }

    });
};

No, it doesn't. The req.logout method in passport.js is, IMO, really bad. All it does is remove the 'user' property from the req object. It doesn't touch any cookies or update the session info in your session store.

You have to do those other two things manually, i.e.

//first remove the "passport" key from the session in your store
//or set it to null
//then, when you get the confirmation callback from your store...

    res.clearCookie('sid', {path: '/'});
    res.redirect('/');

As far as I know this is the common issue. You may try the following.

1. Try to use logOut() instead of logout()

   req.logOut(); req.redirect('\');

2. Try to use session.destroy

   req.session.destroy(function (err) { res.redirect('/'); });

You may also refer to the link: https://github.com/jaredhanson/passport/issues/216

Well, you don't need to delete the cookie from the client because once you call req.logout() function, exposed by passport, passport removes the req.user object that represented the authenticated state on the server.

On the client, the cookie itself is not destroyed but it is invalidated. You can check the cookie before and after you hit the logout button (execute req.logout). What you will see is that the cookie has changed, both its string representation and its size.

After you logout, the size of the cookie will be reduced to the base size because all the data that has been set about the user has been destroyed. Or in other words, the cookie is useless.