dougwilson
commented
1 year ago Thank you for reporting. The destroy function here is just a pass through to the destroy of the underlying store. You will need to open an issue with your store if it is invoking the callback before it actually finishes destroying the session.
Doing req.session.destroy(); does not always destroy the session before returning the response, even though my understanding is the callback, while asynchronous, should be awaiting a resolution. I noticed this error when running test scripts, where when continuously user deleting and registering a user account, after a certain number of requests their session cookie would still exist and I would get returned a 406 "user is already logged in error" from my error handling function.
The workaround to this is to do this: await util.promisify(req.session.destroy).bind(req.session)();
I just thought I would put this issue on here for awareness/possible bug fix.