igoradamenko
commented
2 months ago Probably related: https://github.com/jaredhanson/passport/issues/216
If you've come across this issue, then take a note that probably not removing a session cookie is not a big deal. During the logout the user data is removed from the session:
Which means that when the logged out user will try to connect to the server, passport won't be able to find user data in the session and the user won't be authenticated.
Non removing session is probably vulnerable to session fixation attack (although not sure whether it may be successful with no user data in the session). But passport regenerates session on login and logout, which should prevent possibility of such attacks.
Note: I'm not an expert in the web app security, so do not take my words as granted.
I call req.logout() function in my logout api. It clears the session from the server side but not delete the cookie from client side.