Why is PassportJS in Node not removing session on logout

I am having trouble getting my system to log out with PassportJS. It seems the logout route is being called, but its not removing the session. I want it to return 401, if the user is not logged in in specific route. I call authenticateUser to check if user is logged in.

Thanks a lot!

/******* This in index.js *********/
// setup passport for username & passport authentication
adminToolsSetup.setup(passport);

// admin tool login/logout logic
app.post("/adminTool/login",
    passport.authenticate('local', {
        successRedirect: '/adminTool/index.html',
        failureRedirect: '/',
        failureFlash: false })
);
app.get('/adminTool/logout', adminToolsSetup.authenticateUser, function(req, res){
    console.log("logging out");
    console.log(res.user);
    req.logout();
    res.redirect('/');
});


// ******* This is in adminToolSetup ********
// Setting up user authentication to be using user name and passport as authentication method,
// this function will fetch the user information from the user name, and compare the password     for authentication
exports.setup = function(passport) {
    setupLocalStrategy(passport);
    setupSerialization(passport);
}

function setupLocalStrategy(passport) {
    passport.use(new LocalStrategy(
        function(username, password, done) {
            console.log('validating user login');
            dao.retrieveAdminbyName(username, function(err, user) {
                if (err) { return done(err); }
                if (!user) {
                    return done(null, false, { message: 'Incorrect username.' });
                }
                // has password then compare password
                var hashedPassword = crypto.createHash('md5').update(password).digest("hex");
                if (user.adminPassword != hashedPassword) {
                    console.log('incorrect password');
                    return done(null, false, { message: 'Incorrect password.' });
                }
                console.log('user validated');
                return done(null, user);
            });
        }
    ));
}

function setupSerialization(passport) {
    // serialization
    passport.serializeUser(function(user, done) {
        console.log("serialize user");
        done(null, user.adminId);
    });

    // de-serialization
    passport.deserializeUser(function(id, done) {
        dao.retrieveUserById(id, function(err, user) {
            console.log("de-serialize user");
            done(err, user);
        });
    });
}

// authenticating the user as needed
exports.authenticateUser = function(req, res, next) {
    console.log(req.user);
    if (!req.user) {
        return res.send("401 unauthorized", 401);
    }
    next();
}

Adding req.session.destroy(); worked for me, I had the same problem

req.session.destroy(); worked for me too and remember to clear you cookies with res.clearCookie('cookiename'). However does anyone knows what exactly req.logout() do?

@WebHrushi you can find the function in passport/lib/passport/http/request.js. Today both versions stopped working for me, redirect seems in both ways called before the session is finally destroyed. On the redirected page both ways described here seem to be working fine.

I don't like the idea of not using req.logout(), for forward compatibility and whatnot, so I just added req.session.destroy(); after req.logout() and that works fine.

I just get 'Object #<Session> has no method 'destroy'' as errormessage

@schlenger Hmm, the above is using Express 3. Are you using version 4?

The current version of Passport accepts either logOut or logout (same with login and logIn)

I'm not using Angular so this doesn't make any sense. :/

why delay of 2 seconds, when you can use an asynchronous callback

The callback was not firing consistently for me.

Be careful because, in the example given here, the usage of session.destroy assumes use of the express-sessions module. Other session modules (e.g. mozilla node-client-sessions) adds a destroy method that returns synchronously only and disregards any callback pararmeter. In which case your code will hang

I was having issues with both logout and login occasionally not sticking, and this fixed it for me.

@TomHughes Glad it helped!!

your code can lead to an unexpected behavior if the cache is slow or if you have a middle ware running after the logout logic, you should use req.session.destroy(()=> res.redirect("/"));

session.destroy is asynchronous and requires a callback. You should call res.redirect('/'); in that callback.

Are you basing this on client-sessions? It's destroy function doesn't take an argument: github.com/mozilla/node-client-sessions/blob/master/lib/…

This solves the issue on the client, rather than on the server, which seems insecure. if connect.sid gets hijacked before you log out it shouldn't allow another party to login as you after you have logged out.

logout and logOut were aliased to each other in 2015: github.com/jaredhanson/passport/blame/…

ok I use your second method. The session file in the sessions folder is deleted and the session cookie is removed from the client, but the Node server shows following error message in the console: [session-file-store] will retry, error on last attempt: Error: ENOENT: no such file or directory, open ... how could I fix this?

Welcome! Please refer to this guide for improving your answers stackoverflow.com/help/how-to-answer

Was searching for 4 hours before ending up on this answer, a silly mistake but thanks for pointing out.

Thanks for trying to support. I would suggest fixing the code formatting in your answer. The main snippet you posted isn't valid JS.

Why will this code work? Can you provide more detail around that? Thanks!