I feel like this has to be buried somewhere in the documentation, but I can't find it.
How do you close or end or kill (whatever) a session in ExpressJS?
110 Answers
Express 4.x Updated Answer
Session handling is no longer built into Express. This answer refers to the standard session module:
To clear the session data, simply use:
req.session.destroy(); The documentation is a bit useless on this. It says:
Destroys the session, removing req.session, will be re-generated next request.
req.session.destroy(function(err) { // cannot access session here })
This does not mean that the current session will be re-loaded on the next request. It means that a clean empty session will be created in your session store on next request. (Presumably the session ID isn't changing, but I have not tested that.)
2Never mind, it's req.session.destroy();
The question didn't clarify what type of session store was being used. Both answers seem to be correct.
For cookie based sessions:
req.session = null // Deletes the cookie. For Redis, etc based sessions:
req.session.destroy // Deletes the session in the database. 1To clear a cookie simply assign the session to null before responding:
req.session = null 0Session.destroy(callback)
Destroys the session and will unset the req.session property. Once complete, the callback will be invoked.
↓ Secure way ↓ ✅
req.session.destroy((err) => { res.redirect('/') // will always fire after session is destroyed }) ↓ Unsecure way ↓ ❌
req.logout(); res.redirect('/') // can be called before logout is done 2use,
delete req.session.yoursessionname; 3To end a server-side session
req.session.destroy(function(err) { // cannot access session here }) Note, this is essentially a wrapper around delete req.session as seen in the source code:
defineMethod(Session.prototype, 'destroy', function destroy(fn) { delete this.req.session; this.req.sessionStore.destroy(this.id, fn); return this; }); To end a cookie-session
req.session = null; You can retrieve the id of a session using req.session.id or req.sessionID and then pass it to req.sessionStore.destroy method like so:
const sessionID = req.session.id; req.sessionStore.destroy(sessionID, (err) => { // callback function. If an error occurs, it will be accessible here. if(err){ return console.error(err) } console.log("The session has been destroyed!") }) Reference to the req.sessionStore.destroy method.
req.session.destroy(); The above did not work for me so I did this.
req.session.cookie.expires = new Date().getTime(); By setting the expiration of the cookie to the current time, the session expired on its own.
As mentioned in several places, I'm also not able to get the req.session.destroy() function to work correctly.
This is my work around .. seems to do the trick, and still allows req.flash to be used
req.session = {}; If you delete or set req.session = null; , seems then you can't use req.flash
1