appID not logging out

[davydnorris]

I'm having the same issues as reported in #134

I've got my end points set up as documented in several places with a login, a check_auth to check for login, a logout, and a protected page. I also have been dumping req.session to the console before and after each action.

I can see the session contains the user credentials after login, when I check the login, and also before I call WebAppStrategy.logout(req).

After I call the above I can see the session details are cleared, so it appears the logout has worked, however if I hit the protected page or the check page, they are back again. If I call my logout once more I can again see the req.session[WebAppStrategy.AUTH_CONTEXT] before the call to WebAppStrategy.logout(req), and again it's cleared afterwards, but it just keeps coming back.

I am using Cloudant to implement a session store via the connect-cloudant-store package - could it be related to that??

EDIT: seems like others have had this problem with other passport related strategies and have found that they needed req.session.destroy() instead of or in addition to req.logout(). I see in the WebAppStrategy.logout code there's only req.logout()

[davydnorris]

OK have done some more digging and found this article:
https://medium.com/@caroline.e.okun/read-this-if-youre-using-passport-for-authentication-188d00968f1b

From the article:

It turns out you have to specify that you want to clear the session from memory. If you leave out these config options, you will see cookies regenerated on subsequent requests in the browser after clearing the cookies.

The default value for resave is true. The best way to know if this is necessary for your store is to check if it implements the touch method. If it does, then you can safely set resave: false. If it does not implement the touch method and your store sets an expiration date on stored sessions, then you likely need resave: true.

I've just had a look and I had resave: true in my code, so I have set it to false and it now appears that the user stays logged out. I just need to do some more testing to see that it doesn't affect the Cloudant storage.

I have also had a look in the AppID sample apps and they all have resave:true so they may need to be adjusted (see here)

[jay-mack]

@stepoibm A new version of the SDK has been released, v7, this includes revised samples of AppID working with passport v6. The samples include a revised logout method. Please also take note of the clearing of the refresh token upon logout. The behaviour you describe can occur if this is not cleared.

[gbvacco]

I've tried everything to log out, but nothing has worked.

My application was using:

NodeJS 14.16
ibmcloud-appid: 6.2.5
passport: 0.5.2

After updating to NodeJS 18.19, the problem started to occur (only with logging out). So, I tried updating the packages to:
ibmcloud-appid: 7.0.0
passport: 0.6.0

I also updated the code as written in the README, but nothing seems to work. The only way to log out is by clearing all the browser data. Here is my current logout code:

logout(req: Request, res: Response, logoutPath: string) { (req as any)._sessionManager = false; WebAppStrategy.logout(req); res.clearCookie('refreshToken'); res.redirect(logoutPath); }

It appears that somehow the application session is being recreated during the redirections.