Do we need to destroy the session when a user logs out?

[geoffbass]

We're already calling req.logout

[glebec]

Some apps theoretically would not destroy the session because the user != the session; the app might want to be aware of persistent session info between users.

However there is also a risk that a student would conflate the user and the session and put info on req.session intended to be user-specific. In such cases, destroying the session on logout is a redundant layer of safety.

Either way, the code can be changed by the dev/student to accomplish the intended behavior. So the question is what should be the default. I'd maybe err on the side of caution here, and keep it the way it is (destroy session on logout).

However, I'm definitely open to counterarguments. One I can think of is that if we are worried about students conflating these ideas, this approach only reinforces that instead of disabusing them of the notion.