398947 (1) [Avatar] Offline
#1
1. The logout function is shown twice.

2. If the session refers to a user who no longer exists, then the user will not be able to logout since the req.session.userId value will be kept with the invalid userId forever - the user is prevented from setting it to null.