Adding work to resolve issue 172: If a user decides to use signed cookies, only one of the 'koa:sess' cookies are correctly destroyed by the browser when the data is set to 'null'. This change fixes that by ensuring that the maxAge is always set when destroying the cookie, and the 'koa:sess.sig' cookies are also destroyed.

Changes:
- On destroy, set 'maxAge' to be false
- On destroy, set the 'expires' flag to be UNIXTIME epoch, which the 'Cookie' module relies on
- Added test case for the cookie time being set

Author: jmitchell38488

lib/context.js

@@ -4,6 +4,7 @@ const debug = require('debug')('koa-session:context');
 const Session = require('./session');
 const util = require('./util');
 
+const COOKIE_EXP_DATE = 'Thu, 01 Jan 1970 00:00:00 GMT';
 const ONE_DAY = 24 * 60 * 60 * 1000;
 
 class ContextSession {
@@ -273,7 +274,12 @@ class ContextSession {
    */
 
   async remove() {
-    const opts = this.opts;
+    // Override the default options so that we can properly expire the session cookies
+    const opts = Object.assign({}, this.opts, {
+      expires: new Date(COOKIE_EXP_DATE),
+      maxAge: false,
+    });
+
     const ctx = this.ctx;
     const key = opts.key;
     const externalKey = this.externalKey;

test/cookie.test.js

@@ -249,6 +249,24 @@ describe('Koa Session Cookie', () => {
     });
   });
 
+  describe('after session set to null', () => {
+    it('should return expired cookies', done => {
+      const app = App();
+
+      app.use(async function(ctx) {
+        ctx.session.hello = {};
+        ctx.session = null;
+        ctx.body = String(ctx.session === null);
+      });
+
+      request(app.listen())
+        .get('/')
+        .expect('Set-Cookie', /koa:sess=; path=\/; expires=Thu, 01 Jan 1970 00:00:00 GMT/)
+        .expect('true')
+        .expect(200, done);
+    });
+  });
+
   describe('when get session after set to null', () => {
     it('should return null', done => {
       const app = App();