How to destroy a session?

[boojum]

Session is being created and saved to redis just fine, but I can't seem to destroy it. I'm not passing any custom options to koa-generic-session and only host, port, and password to koa-redis.

redis itself is run in a container, using the official docker image without only persistence enabled.

This is how I create and try to destroy the session:

1. redis before any operations:

127.0.0.1:6379> scan 0
1) "0"
2) (empty list or set)

2. login helper creating session and login:

// helper
export const logIn = async (ctx, id) => {
  ctx.session.userId = id
}

// actual login:
$ curl -X POST -v localhost:5000/login -H 'Content-Type: application/json' -d '{"email":"[email protected]","password":"Secret12"}' -c cookie.txt
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 127.0.0.1:5000...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 5000 (#0)
> POST /login HTTP/1.1
> Host: localhost:5000
> User-Agent: curl/7.65.3
> Accept: */*
> Content-Type: application/json
> Content-Length: 46
>
* upload completely sent off: 46 out of 46 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: application/json; charset=utf-8
* Added cookie koa.sid="RlW0-3mTnu7DYgj8WZDogQ5QklXQ6BPr" for domain localhost, path /, expire 1587820434
< Set-Cookie: koa.sid=RlW0-3mTnu7DYgj8WZDogQ5QklXQ6BPr; path=/; expires=Sat, 25 Apr 2020 13:13:54 GMT; httponly
* Added cookie koa.sid.sig="ahPnyPHjwKvN1w8SxNeKRopdS60" for domain localhost, path /, expire 1587820434
< Set-Cookie: koa.sid.sig=ahPnyPHjwKvN1w8SxNeKRopdS60; path=/; expires=Sat, 25 Apr 2020 13:13:54 GMT; httponly
< Content-Length: 29
< Date: Fri, 24 Apr 2020 13:13:54 GMT
< Connection: keep-alive
<
* Connection #0 to host localhost left intact
{"status":"success","id":180}

3. redis after logging in:

127.0.0.1:6379> scan 0
1) "0"
2) 1) "koa:sess:RlW0-3mTnu7DYgj8WZDogQ5QklXQ6BPr"

4. logout helper and logout:

// helper
export const logOut = async (ctx) => {
  const cookie = await ctx.cookies.get('koa.sid', { signed: true })
  console.log(ctx.header.cookie) // koa.sid.sig=ahPnyPHjwKvN1w8SxNeKRopdS60; koa.sid=RlW0-3mTnu7DYgj8WZDogQ5QklXQ6BPr
  console.log('cookie', cookie) // RlW0-3mTnu7DYgj8WZDogQ5QklXQ6BPr
  await store.destroy(cookie)
}

// actual logout
 > curl -X POST -v localhost:5000/logout -b cookie.txt*   Trying 127.0.0.1:5000...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 5000 (#0)
> POST /logout HTTP/1.1
> Host: localhost:5000
> User-Agent: curl/7.65.3
> Accept: */*
> Cookie: koa.sid.sig=ahPnyPHjwKvN1w8SxNeKRopdS60; koa.sid=RlW0-3mTnu7DYgj8WZDogQ5QklXQ6BPr
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: application/json; charset=utf-8
< Content-Length: 20
< Date: Fri, 24 Apr 2020 13:20:14 GMT
< Connection: keep-alive
<
* Connection #0 to host localhost left intact
{"status":"success"}

5. redis after logging out:

127.0.0.1:6379> scan 0
1) "0"
2) 1) "koa:sess:RlW0-3mTnu7DYgj8WZDogQ5QklXQ6BPr"

What am I missing here?

EDIT: The issue might be with how I initialise the session, and with the store used in logout helper. koa-generic-session and koa-redis are being initialised as follow:

// in server.js
export const store = new redisStore(REDIS_OPTIONS)

app.use(
  session({
    store,
  }),
)

The exported store is then used in logout helper in attempt to destroy the session:

import { store } from '../server.js'

export const logOut = async (ctx) => {
  const cookie = await ctx.cookies.get('koa.sid', { signed: true })
  await store.destroy(cookie)
}

[LongJinCen]

You can use these apis on the store created by koa-redis, or you can use them on the session created by koa-generic-session.

but koa-generic-session add a prefix to key by default as follow:

app.use(session({
  store: redisStore(dbConfig.REDIS_CONFIG),
  prefix: 'koa:sess:'
}));

So, the real key stored in redis is koa:sess: + sid. If you use the API on the store created by koa-redis directly, it defaults to no prefix. Koa-generic-session mounts the sessionStore for us on ctx. You can use ctx.sessionstore.destroy (sid) to destory the session, which adds the prefix by default.