Fix: Logout Glitch

[rajatmohan22]

Fixes: #2449

@lindapaiste I noticed your comments on the issue. You mentioned that you're not an expert on cookies, and I'm in the same boat 😄. However, after some investigation, here's what I've discovered:

1. Why doesn't the error occur on localhost?
Ans: Seemingly, browsers have different policies regarding cookies for different domains. Therefore, cookies and session management may behave differently compared to an external server ( This is actually evident if you open the networks tab on both localhost and the prod site and check the status code of the session.) This could lead to differences in how sessions are managed and why the issue doesn't occur locally.

2. How do we fix it?
Ans: Deleting the session. What's happening now is that, on logout, the session Id is changing. However, we want it gone!
Apparently Passport provides another function for this. It is called: session.destroy.

Please check it out, and let me know if any changes is required.

Here is a brief video/gif:

with req.session.destroy
screen-capture (1).webm

with req.logout:
screen-capture (3).webm

Changes:

I have verified that this pull request:

• has no linting errors (npm run lint)
• has no test errors (npm run test)
• is from a uniquely-named feature branch and is up to date with the develop branch.
• is descriptively named and links to an issue number, i.e. Fixes #123

[rajatmohan22]

@lindapaiste Have a look at both the videos:

• Using req.logout alone creates a new session.

• Using req.session.destroy deletes the session permanently.

[lindapaiste]

Thanks for researching this! At first glance it looks good.

[rajatmohan22]

@lindapaiste, this works. I deployed a test app. Repo link: https://github.com/rajatmohan22/AuthTest1.

Additionally, we can include HTML tags to clear the browser cache. Do you want me to do anything else to test it out particularly?

[rajatmohan22]

@raclim could you verify this?

[raclim]

Thanks for working on this! I also think this looks good to me for now.

[rajatmohan22]

@raclim Thank you! appreciate it.

[lindapaiste]

@raclim We need to roll this back.

I had not run it before (FYI, if I say something like "At first glance it looks good." that usually means I looked at the code but didn't run it). Now that I am running it I am getting a 500 error from the API when logging out, detailed here.

The passport logout function throws an error if there is no req.session. This PR is calling req.session.destroy first and req.logout second. Therefore the logout fails because the session is gone.

[rajatmohan22]

Refer to #2473 for detailed error explanations. I'm also super open to providing a line-by-line breakdown. I believe the code is error-free. However, we can also consider using the 'destroy' method without Passport's 'logout' if desired.

[raclim]

After giving another look at it I'm also getting the same 500 error here. Sorry I think I didn't give it as thorough of a glance as I should've at the time!

I'm going to revert this PR for now, and we can take a look at the new one submitted for this.