Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

JavaScript User Authentication With Express and Mongo Improving the App with Custom Middleware Adding a Log Out Route

Posted by David Hoffman
David Hoffman
12,707 Points

Why is the app still storing a session after the "Log out" button has been clicked?

Even when a user clicks the "Log out" button you can still get right back in with out having to provide your credentials by putting "localhost:3000/profile" into the address bar. On top of that your client is still storing the cookie that was created by the app. Why is this behavior happening? I tried to make the user login system more secure by deleting the cookie, which works, but you can still get in by putting "localhost:3000/profile" into the address bar. I just don't understand why this is happening, any help would be great.

//GET /logout
router.get('/logout', function(req, res, next){
  if(req.session){
    // Clear the cookie on the client
    res.clearCookie('connect.sid', { path: '/' });
    // Delet session object
    req.session.destroy(function(err){
      if(err){
        return next(err);
      } else{
        return res.redirect('/');
      }
    });
  }
});
Adam Beer
Adam Beer
11,314 Points
Adam Beer
Adam Beer
11,314 Points

I'm thinking about first deleted all datas when anybody click the button then 're-build' the homepage. We get clean page. They need the cookies but not the '/logout' router. We use 'router. get' logout doesn't 'router.post' logout

2 Answers

David Hoffman
David Hoffman
12,707 Points
David Hoffman
David Hoffman
12,707 Points

Well I'm not sure what is going on, but it seems to be working just fine now. Grr, my brain is turning to mush.

Curtis Beall
Curtis Beall
11,506 Points
Curtis Beall
Curtis Beall
11,506 Points

Thank you so much. I was having the same issue until I used your code. For some reason the clear cookies portion is not in the video or on the page.

Ben Moore
Ben Moore
22,588 Points
Ben Moore
Ben Moore
22,588 Points

I had the same issue, not understanding why he would use req.session.destroy() but not res.clearCookie(). Seeing your code, it works -- really needed the res.clearCookie().

Erika Suzuki
Erika Suzuki
20,299 Points
Erika Suzuki
Erika Suzuki
20,299 Points

The app stores some cookes by default. Even if you destroy them, the default ones will be recreated, i think