My cookie must expired at the end of the session with cookie-session and node js and express

I have a problem with my cookie of session using cookie-session for express and node js When I close my browser the cookie of session is not delete

app.use(cookieSession({
    name: 'session',
    keys: ['key1', 'key2'],
    secret: 'secret',
    cookie: {
      secure: true,
      domain:"lucie-oreo.fr",
      httpOnly: false,
      path: '/'
      expires:false //I tried with null ,0 
    }
  }));

I don’t understand why the cookies is not deleted Thanks to help me 🙂

Answer

Browsers can store the cookie even if you restart them. You have to send additional header informations, which can be a date in the past to make sure it is expired when the session ends or disallow caching of the cookie, which can be done with the Cache-Control: private or Cache-Control: no-cache="set-cookie" directive.

MDN HTTP Cookies:

  • Session cookies are deleted when the current session ends. The browser defines when the “current session” ends, and some browsers use session restoring when restarting, which can cause session cookies to last indefinitely long.

RFC 2109 Section 4.2.3 says:

If the cookie is intended for use by a single user, the Set-cookie header should not be cached. A Set-cookie header that is intended to be shared by multiple users may be cached.

The origin server should send the following additional HTTP/1.1 response headers, depending on circumstances:

  • To suppress caching of the Set-Cookie header: Cache-control: no-cache=”set-cookie”.