How to end a session in ExpressJS

I feel like this开发者_开发百科 has to be buried somewhere in the documentation, but I can't find it.

How do you close or end or kill (whatever) a session in ExpressJS?

---

Express 4.x Updated Answer

Session handling is no longer built into Express. This answer refers to the standard session module: https://github.com/expressjs/session

To clear the session data, simply use:

req.session.destroy();

The documentation is a bit useless on this. It says:

Destroys the session, removing req.session, will be re-generated next request. req.session.destroy(function(err) { // cannot access session here })

This does not mean that the current session will be re-loaded on the next request. It means that a clean empty session will be created in your session store on next request. (Presumably the session ID isn't changing, but I have not tested that.)

---

Never mind, it's req.session.destroy();

---

The question didn't clarify what type of session store was being used. Both answers seem to be correct.

For cookie based sessions:

From http://expressjs.com/api.html#cookieSession

req.session = null // Deletes the cookie.

For Redis, etc based sessions:

req.session.destroy // Deletes the session in the database.

---

Session.destroy(callback)

Destroys the session and will unset the req.session property. Once complete, the callback will be invoked.

↓ Secure way ↓ ✅

req.session.destroy((err) => {
  res.redirect('/') // will always fire after session is destroyed
})

---

↓ Unsecure way ↓ ❌

req.logout();
res.redirect('/') // can be called before logout is done

---

use,

delete req.session.yoursessionname;

---

From http://expressjs.com/api.html#cookieSession

To clear a cookie simply assign the session to null before responding:

req.session = null

---

To end a server-side session

https://github.com/expressjs/session#sessiondestroycallback

req.session.destroy(function(err) {
  // cannot access session here
})

Note, this is essentially a wrapper around delete req.session as seen in the source code:

https://github.com/expressjs/session/blob/master/session/session.js

defineMethod(Session.prototype, 'destroy', function destroy(fn) {
  delete this.req.session;
  this.req.sessionStore.destroy(this.id, fn);
  return this;
});

To end a cookie-session

https://github.com/expressjs/cookie-session#destroying-a-session

req.session = null;

---

req.session.destroy(); 

The above did not work for me so I did this.

req.session.cookie.expires = new Date().getTime();

By setting the expiration of the cookie to the current time, the session expired on its own.

---

You can retrieve the id of a session using req.session.id or req.sessionID and then pass it to req.sessionStore.destroy method like so:

const sessionID = req.session.id;
req.sessionStore.destroy(sessionID, (err) => {
  // callback function. If an error occurs, it will be accessible here.
  if(err){
    return console.error(err)
  }
  console.log("The session has been destroyed!")
})

Reference to the req.sessionStore.destroy method.

---

As mentioned in several places, I'm also not able to get the req.session.destroy() function to work correctly.

This is my work around .. seems to do the trick, and still allows req.flash to be used

req.session = {};

If you delete or set req.session = null; , seems then you can't use req.flash