I'm using node.js, with the express and express-session packages to test various CRUD implementations.
What is the practical difference between res.clearCookie() and req.session.destroy()?
Both code patterns below appear to accomplish the same thing, but I wonder if I'm missing something important.
Code pattern 1:
router.post('/logout', function(req, res, next) {
req.session.destroy( function(error) {
if(error) {
console.log(error);
}
res.redirect('/');
});
});
Code pattern 2:
router.post('/logout', function(req, res, next) {
res.clearCookie(SESSION_NAME);
res.redirect('/');
});
res.clearCookie() will just delete the cookie, and if you can somehow restore the cookie (if you had a backup or if someone stole it), you will log back in (or whatever the cookie's functionality was). If you use req.session.destroy(), the session will be invalidated in the server as well, so even if you got back the cookie you won't get back the session.