I'm using Express cookie-session for authentication, which, if I understand correctly, works by storing a cookie locally in the browser of the user and no session data client-side.

The documentation says that in order to logout we should set req.session = null on the server. So right now, my client does an HTTP request to that endpoint.

Client:

async function logout() {
    await fetch(
        process.env.REACT_APP_SERVER_URL   "/logout",
        {
            method: "POST",
        }
    )
}

Server:

exports.logout = (req, res, next) => {
    req.session = null
    res.sendStatus(200)
}

But this can obviously fail if the server is down. So now I'm wondering if it's enough to just delete the session cookie client-side and even remove the logout endpoint completely. If there is no session data stored on the server, this should work just as well and not leave any residue, right?

CodePudding user response：

Yes that is correct, you can just delete the cookie and next time when the client hits the server, there will be no session to identify the user, hence the user will be logged out.

However, generally, the client side should not be able to work with the session cookie for security reasons, and almost always the session cookie is marked as httpOnly meaning that it can't be manipulated with javascript on the client-side.

One extra precaution you could take (if you decide to let the client work with the session cookie) is to sign the cookie, so even if the client changes the contents of the cookie, the cookie signature will not be valid and will be rejected by the server.