https://github.com/expressjs/session
Looking at this question and the doc, it seems I don't need to delete the session cookie on the client side and use the destroy method on the backend. Wouldn't it generate an issue if I log in as a different user after logging out though, because of the session cookie?
I am wondering if using the logout method is enough to deal with the cookie when it has a TTL of 1 day and you log out after 30 minutes.
app.get('/logout', function (req, res, next) {
// logout logic
// clear the user from the session object and save.
// this will ensure that re-using the old session id
// does not have a logged in user
req.session.user = null
req.session.save(function (err) {
if (err) next(err)
// regenerate the session, which is good practice to help
// guard against forms of session fixation
req.session.regenerate(function (err) {
if (err) next(err)
res.redirect('/')
})
})
})
app.listen(3000)
