I'm using React as my client and ExpressJs as the server. When a user clicks on the logout
button, should I send a request to the server to clear the cookie or should I do it from the client-side?
CodePudding user response:
Both. I'd use passport.js to manage the server side stuffs and use their tutorial https://www.passportjs.org/tutorials/password/ for sessionid authentication. On the server, once you ping the logout route, it will invalidate any sessionid passed to authenticated routes and not let you pass. The problem with not using both, is after logout is visited and only it is invalid on the server, your sessionid will not be valid for authenticated routes. The user would appear to have the same access, but once they try to access routes, it will drop a 401 error. The problem with only using client side logout then, would be that the user would not be able to see what they can access, but anyone that has managed to steal the sessionid would still be able to use their account!