stackoom
  简体   繁体   中英

Browser Back Button doesn't destroy the session in PassportJS + ExpressJS. How to kill/terminate the session entirely?

 原文  2015-02-05 14:39:47       javascript/ node.js/ express/ passport.js/ passport-local

Question

The code for my Logout Mechanism is 

app.get('/logout', isLoggedIn, function(req, res) {
        req.logout();
        res.redirect('/');
    });

Am using a Express-session package using a secret key, haven't set Cookies anywhere.

While I click the browser Back button after logout, It still allows the user to go back to the page being authenticated. How do I terminate this session entirely?

isLoggedIn is just authenticating via PassportJS's isAuthenticated method. What is the way out here?

Please help. Thanks in Advance.

Edit: This is the session Id

在此处输入图片说明

1 answers

solution1
 7 ACCPTED  2015-02-05 17:17:32

Set the Cache-control headers to no-cache conditionally for logged out users 

app.use(function(req, res, next) {
    if (!req.user)
        res.header('Cache-Control', 'private, no-cache, no-store, must-revalidate');
    next();
});

This will force the browser to obtain new copy of the page even when they hit "back".

Note: This comes at the cost of disabling cache for all users that aren't logged in, which for the sake of this answer includes the ones that just logged out. You should probably find a way to distinguish between the two if you don't want to disable cache entirely for all logged out users. Something with sessions..

If you're sure that when user hits back, '/login' is the route that they will land on, then you can define it only there, thus saving yourself from the trouble of doing the above.

Where exactly does this code go? 

 app.get('/logout', isLoggedIn, function(req, res) { req.logOut(); if (!req.user) res.header('Cache-Control', 'private, no-cache, no-store, must-revalidate'); res.redirect('/login'); });

Can it be used like this?

No.

app.get (or app.use ) defines your routes. Documentation: http://expressjs.com/api.html#request

app.get('/logout'... will only be executed if the route '/logout' is requested by the client.

app.use(...) (without specifying any route) will be executed for all requests.

These route "middlewares" (as they are called) are also executed in succession to one another. (you'll learn more in the docs mentioned above)

You want to set the headers before any other route , so that whatever those other routes render, is rendered with the header that forcibly invalidated the user's cache. 

// > HERE <
// before all the other routes

app.get('/logout'...
app.get('/login'...
app.get('/'...
app.get('/stuff'...

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Expressjs doesn't destroy session How to destroy session when clicks on browser's back button PassportJS Session doesn't working with custom callback How to destroy session in jsp and avoid returning back How to kill a session on browser close in django Save before req.session.destroy() ExpressJS How to kill session on browser tab or browser close in js? Facebook api php destroySession doesn't destroy javascript session/cookie How to destroy Vaadin 8 session on browser close or tab close? how to triger some func when session destroy by closing browser in JS?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM