update cookies

config.js

@@ -53,22 +53,6 @@ exports.creds = {
     // Required to set to true if the `verify` function has 'req' as the first parameter
     passReqToCallback: false,
 
-    // Recommended to set to true. By default we save state in express session, if this option is set to true, then
-    // we encrypt state and save it in cookie instead. This option together with { session: false } allows your app
-    // to be completely express session free.
-    useCookieInsteadOfSession: true,
-
-    // Required if `useCookieInsteadOfSession` is set to true. You can provide multiple set of key/iv pairs for key
-    // rollover purpose. We always use the first set of key/iv pair to encrypt cookie, but we will try every set of
-    // key/iv pair to decrypt cookie. Key can be any string of length 32, and iv can be any string of length 12.
-    // Example: openssl rand -base64 12 && openssl rand -base64 32
-    cookieEncryptionKeys: [ 
-      {
-        'key': process.env.NODE_ENV == "development" ? "TfGVn2Sn3WjFk3GNzvIvOw8aXh16NqFC" : process.env.COOKIE_KEY, // len 32
-        'iv': process.env.NODE_ENV == "development" ? "C1fRcgVZs1K7" : process.env.COOKIE_IV // len 12
-      },
-    ],
-
     // The additional scopes we want besides 'openid'.
     // 'profile' scope is required, the rest scopes are optional.
     // (1) if you want to receive refresh_token, use 'offline_access' scope
@@ -79,7 +63,7 @@ exports.creds = {
     loggingLevel: 'error',
 
     // Optional. The lifetime of nonce in session or cookie, the default value is 3600 (seconds).
-    nonceLifetime: null,
+    nonceLifetime: 3600,
 
     // Optional. The max amount of nonce saved in session or cookie, the default value is 10.
     nonceMaxAmount: 5,

index.js

@@ -61,8 +61,6 @@ function getRandomURL() {
 const secret = process.env.COOKIE_KEY || "secret";
 app.use(session({
   secret: secret,
-  resave: false,
-  saveUninitialized: true,
 }));
 
 //-----------------------------------------------------------------------------
@@ -264,7 +262,6 @@ app.get('/login',
         resourceURL: config.resourceURL,    // optional. Provide a value if you want to specify the resource.
         customState: 'my_state',            // optional. Provide a value if you want to provide custom state value.
         failureRedirect: '/error',
-        useCookieInsteadOfSession: true,
         domain_hint: config.branding.domainHint
       }
     )(req, res, next);
@@ -314,9 +311,10 @@ app.post('/auth/openid/return',
 
 // 'logout' route, logout from passport, and destroy the session with AAD.
 app.get('/logout', function(req, res){
-  res.clearCookie('connect.sid');
-  res.clearCookie('session');
-  res.clearCookie('session.sig');
+  res.clearCookie('connect.sid', {path:'/'});
+  res.clearCookie('session', {path:'/'});
+  res.clearCookie('session.sig', {path:'/'});
+  req.session=null;
   res.redirect('/');
 });
 
@@ -343,7 +341,12 @@ app.use(async (req, res, next) => {
 // begin business logic
 
 app.get('/', async function (req, res) {
+
   if (req.isAuthenticated()) { return res.redirect('/create') }
+  res.clearCookie('connect.sid', {path:'/'});
+  res.clearCookie('session', {path:'/'});
+  res.clearCookie('session.sig', {path:'/'});
+
   res.render('home.html', {partials, productName: config.branding.title, logoPath: config.branding.logoPath, copyrightOwner: config.branding.copyrightOwner, statusURL: config.branding.statusURL, orgHome: config.branding.orgHome,loginProvider: config.branding.loginProvider});
   return
 })

view/components/fullNavbar.html

@@ -17,12 +17,12 @@
             </ul>
             <div class="dropstart dropdown-menu-md">
                 <a href="#" class="d-block text-white text-decoration-none dropdown-toggle" data-bs-toggle="dropdown" aria-expanded="false">
-                  Signed in as: {{name}}
+                  Welcome {{name}}!
                 </a>
                 <ul class="dropdown-menu text-small">
                   <li><a class="dropdown-item disabled" href="#">Email: {{email}}</a></li>
                   <li><hr class="dropdown-divider"></li>
-                  <li><a class="dropdown-item" href="/logout">Logout</a></li>
+                  <li><a class="dropdown-item text-dark" href="/logout">Logout</a></li>
                 </ul>
               </div>
         </div>