Logging out user in javascript by deleting cookies?

Question

Hellooo, so I have a node.js server running in the background and I believe this is what "logs in" users (I did not write the backend).

app.use(function (req, res, next) {
   var nodeSSPI = require('node-sspi');
   var nodeSSPIObj = new nodeSSPI({
      retrieveGroups: true,
      domain: "CAMISCOM"
   });
   if (req.secure) {
      nodeSSPIObj.authenticate(req, res, function (err) {
          res.finished || next();
   });
   } else {
      next();
   }
});

The login box looks like this in chrome 61:

I've found when I do "Clear Browsing Data->Cookies and other site data" only, it will log me out. Also closing the browser and reopening logs me out.

I've tried to clear cookies in the front end, but document.cookie is an empty string. I'm kinda lost here. How can I implement a logout feature?

Thanks!

UPDATE: I believe I should be attempting to delete req.connection.user on the backend side. Currently I have an ajax call on the front calling a router on the backend and from there I have access to req where I set it equal to null, but this isnt doing anything

Final Update: The solution for me was to have the backend do

delete req.connection.user
delete req.connection.userSid
delete req.connection.userGroups

through a router, and then after the success of that router redirect them to https://log:out@website.com

If the cookie is HTTPONLY you won't be able to access it from JS. — Joe, Oct 06 '17 at 14:26
In Developer Tools ->Application -> Cookies there are no cookies shown either — Justin Braham, Oct 06 '17 at 14:27
Logging out is a server-side action. Making the client forget its session does not terminate the session on the server - it only creates the appearance of having logged out. — Ags1, Oct 06 '17 at 14:42

jfriend00 · Accepted Answer · 2017-10-06T15:30:32.263

0

It appears from some test code on the node-sspi Github site that you log out a user during a request by doing this on the server:

delete req.connection.user;
delete req.connection.userSid;
delete req.connection.userGroups;

It is a bit odd that there is no doc for logging someone out.

This is perhaps relevant too: How to log out user from web site using BASIC authentication?

edited Oct 06 '17 at 15:30

answered Oct 06 '17 at 15:09

jfriend00

683,504
96
985
979

Possibly a dumb question but does doing this through a router (POST) count as "doing this on the server" – Justin Braham Oct 06 '17 at 15:24
1

@JustinBraham - Yes, that's a perfectly fine place to do it as long as the request is coming from the user that you want to log out. – jfriend00 Oct 06 '17 at 15:26
1

@JustinBraham - Added another idea to my answer. – jfriend00 Oct 06 '17 at 15:30
So I don't believe the delete method is working in the router. My ajax call is successful but nothing happens. Furthermore, If I res.send(req.connection.user) in the router it is the user I am trying to logout. P.S I did not downvote, i upvoted... someone else must have downvoted – Justin Braham Oct 06 '17 at 15:45
1

@JustinBraham - Unless you redirect to a new page, nothing will appear to happen in the client. When you next attempt to access a page that requires authentication, it should prompt to login again. Usually a logout function will show some UI to the user that they are now logged out, but that's code you have to write, nothing happens automatically. If it isn't logging you out, then you can try the other technique I've linked to or I can just delete my answer as this is all that appears in the node-sspi site. – jfriend00 Oct 06 '17 at 15:49
Thank you that worked wonderfully! After the ajax call is sucessfull now I redirect them to log:out@website.com and it forces a new login – Justin Braham Oct 06 '17 at 15:53

Logging out user in javascript by deleting cookies?

1 Answers1