1. 技术文章
  2. Browser Back Button doesn't destroy the session in PassportJS + ExpressJS. How to kill/terminate the session entirely?

Browser Back Button doesn't destroy the session in PassportJS + ExpressJS. How to kill/terminate the session entirely?

前提是你 提交于 2019-12-12 23:28:36

问题


The code for my Logout Mechanism is 

app.get('/logout', isLoggedIn, function(req, res) {
        req.logout();
        res.redirect('/');
    });

Am using a Express-session package using a secret key, haven't set Cookies anywhere.

While I click the browser Back button after logout, It still allows the user to go back to the page being authenticated. How do I terminate this session entirely?

isLoggedIn is just authenticating via PassportJS's isAuthenticated method. What is the way out here?

Please help. Thanks in Advance.

Edit: This is the session Id


回答1:


Set the Cache-control headers to no-cache conditionally for logged out users

app.use(function(req, res, next) {
    if (!req.user)
        res.header('Cache-Control', 'private, no-cache, no-store, must-revalidate');
    next();
});

This will force the browser to obtain new copy of the page even when they hit "back".

Note: This comes at the cost of disabling cache for all users that aren't logged in, which for the sake of this answer includes the ones that just logged out. You should probably find a way to distinguish between the two if you don't want to disable cache entirely for all logged out users. Something with sessions..

If you're sure that when user hits back, '/login' is the route that they will land on, then you can define it only there, thus saving yourself from the trouble of doing the above.

Where exactly does this code go? 

app.get('/logout', isLoggedIn, function(req, res) {
    req.logOut();
    if (!req.user) 
        res.header('Cache-Control', 'private, no-cache, no-store, must-revalidate');
    res.redirect('/login');
});

Can it be used like this?

No.

app.get (or app.use) defines your routes. Documentation: http://expressjs.com/api.html#request

app.get('/logout'... will only be executed if the route '/logout' is requested by the client.

app.use(...) (without specifying any route) will be executed for all requests.

These route "middlewares" (as they are called) are also executed in succession to one another. (you'll learn more in the docs mentioned above)

You want to set the headers before any other route, so that whatever those other routes render, is rendered with the header that forcibly invalidated the user's cache. 

// > HERE <
// before all the other routes

app.get('/logout'...
app.get('/login'...
app.get('/'...
app.get('/stuff'...


来源:https://stackoverflow.com/questions/28346746/browser-back-button-doesnt-destroy-the-session-in-passportjs-expressjs-how-t

标签
javascript
node.js
express
passport.js
passport-local
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!