Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do we need to destroy the session when a user logs out? #124

Open
geoffbass opened this issue Jul 26, 2018 · 1 comment
Open

Do we need to destroy the session when a user logs out? #124

geoffbass opened this issue Jul 26, 2018 · 1 comment

Comments

@geoffbass
Copy link
Contributor

We're already calling req.logout
@glebec
Copy link
Member

glebec commented Nov 4, 2018

Some apps theoretically would not destroy the session because the user != the session; the app might want to be aware of persistent session info between users.

However there is also a risk that a student would conflate the user and the session and put info on req.session intended to be user-specific. In such cases, destroying the session on logout is a redundant layer of safety.

Either way, the code can be changed by the dev/student to accomplish the intended behavior. So the question is what should be the default. I'd maybe err on the side of caution here, and keep it the way it is (destroy session on logout).

However, I'm definitely open to counterarguments. One I can think of is that if we are worried about students conflating these ideas, this approach only reinforces that instead of disabusing them of the notion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@geoffbass @glebec