Express Passport.js: req.user VERSUS req.session.passport.user

Question

As per this article

http://toon.io/understanding-passportjs-authentication-flow/

it looks as though PassportJS/Express store the logged in user in two places

Answer 1

You should always, always use req.user in your own code -- this is important because if you use req.session.passport.user, you're essentially pulling user information out of a session cookie (which may be outdated).

It's always best to rely on req.user as opposed to cookie data directly, as depending on your implementation, that information might be out of date.

And to answer your question: if you log a user out, both req.session and req.user will no longer be available.