I'm using stormpath-express along with express-session in my express application. The login part works fine. However, when I log out, the previous session property still there in the session. I can see the session property connect.sid remain the same
I invoked /logout like so <button class="btn btn-default btn-default navbar-btn" onclick="$.post('/logout', function(data) {location.href='/'})">
It's a ajax POST call to /logout.
Per stormpath documentation, the session will be destroyed. However, when I login with a different user, the previous session cookies are still there.
var session = require('express-session');
app.use(session({
genid: function(req) {
return uuid.v1();
},
secret: 'xxxxx',
resave: false,
saveUninitialized: false
}));
After logout, the previous session property is still there
var sess = req.session;
if(sess.phoneNumbers) {
console.log('reuse phoneNumbers from session'); // why it still here???
} else {
Express-Stormpath will only delete the cookies that it manages, it will not delete your own cookie as we don't want to interfere with any custom use-cases that the other session cookies may be used for.
If you would like delete your cookies as the same time as ours, you can implement a route handler that runs before ours. Simply place this code above the call to
stormpath.init()
:We are planning to add a Post-Logout Handler that will allow you to do the same thing.
I hope this answer helps! P.S. I work at Stormpath and I maintain these libraries :)