1

Hello i am building an app that is using passport-twitter to authenticate the user, im able to succesfully login the user using twitter credentials, but i would like for the user when we sign out (destroy the session), so the cookie is also destroy, so everytime the user comes back to the app, he needs to authenticate again. so im guessing my session has to be modified but i dont know how.

app.use(session({
  secret: "our-passport-local-strategy-app",
  resave: true,
  saveUninitialized: true
}));

any help is appreciated

Alex ROJAS
  • 57
  • 7

1 Answers1

1

Try to use Passport's official approach for logging out. The request object has a decorator that it can be used. If you are using Express.js 4.x the 'result' object has cookie manipulating decorators as well.

app.get('/logout', function(req, res){
  // Destroy the session if any
  req.logout();
  // Clear the specified cookies
  res.clearCookie('your_key');
  // Redirect to homepage
  res.redirect('/');
});
vorillaz
  • 6,098
  • 2
  • 30
  • 46
  • is there any way to give an specific time for the cookie to exist in the browser? even after using this route ("/logout"), because on my app.use(session).... i dont have a maxAge, since im using passport, i dont know how to modify my session. – Alex ROJAS Sep 15 '18 at 18:13
  • That does not make any sense. Kill the session for a user is irrelevant to cookie's expiration date – vorillaz Sep 15 '18 at 18:15
  • i should have explained a little better, so the reason im trying to destroy the cookie is that everytime you use my app, you have to go to the authentication process to access the twitter data, but instead every time it has instant access. so i figured it was because of the cookie. the only way to log out is actually going to twitter and delete the app from there. so my question is i would like that after a day, if i want to log in through my app to twitter, i would have to the authentication again (username, password). I appreciate your help – Alex ROJAS Sep 15 '18 at 18:19
  • i would appreciate a litle more help on the subject please – Alex ROJAS Sep 15 '18 at 19:18
  • What you are asking is not possible. You can't logout a user from an external authentication service. You shall set an expiration date for your side using the generated session. If you want to retrieve fresh data read about refresh tokens with OAUTH . – vorillaz Sep 15 '18 at 19:51