Generating unique session.sig after logout/login about cookie-session HOT 3 CLOSED

So the sig is just a hash of the data itself. Since the client controls all the data, it can always resend the data even after uou alter it from the server, because ultimately the client controls it. This is the downside of client side sessions.

You may want to consider using server side sessions instead, where the client cannot control what data is sent back, as that is ultimately the only way to you can expire a session based on an event instead of time: you have to have something stored on the server to know if that given session has been logged out or not.

I hope this helps explain the difference between client side and server side sessions.

I you know a way in which to implement this without any server side storage, you're welcome to open a pull request with an implementation. As far as I know, it is not possible to prevent what you described with client side sessions.

from cookie-session.

@dougwilson thank you for the explanation -- so if I understand correctly, for a given input the session and the session.sig will always be the same every-time it gets generated -- and there's no way for the server to know if this session is no longer valid

from cookie-session.

Yes, that is correct. You can always add a date time in your data you store which is the time you want to expire the session, but the session will then be valid until that time passes, so the log out scenario would still not work since you wouldn't know the exact date time the user will log out ahead of time.

from cookie-session.