Since version 0.6.0 (which was released only a few days ago by the time of writing this), req.logout is asynchronous. This is part of a larger change that averts session fixation attacks.
See the release announcement:
The other major change is that that
req.logout()is now an asynchronous function, whereas previously it was synchronous. For instance, a logout route that was previously:app.post('/logout', function(req, res, next) { req.logout(); res.redirect("https://stackoverflow.com/"); });should be modified to:
app.post('/logout', function(req, res, next) { req.logout(function(err) { if (err) { return next(err); } res.redirect("https://stackoverflow.com/"); }); });
Jared Hanson mentioned that the docs are not up to date yet:
It is necessary in order to improve the security of how sessions are managed during logout. Upgrading to 0.6.0 will require applications to pass a callback to
req#logout. I’m still working on updating the docs and examples.