---
title: Invalidate Session On Logout
impact: MEDIUM
impactDescription: ensures logout actually terminates access
tags: session, logout, invalidation, security, csharp
---

## Invalidate Session On Logout

Ensure that logging out invalidates the session on the server side.

**Incorrect (client-side only):**

```javascript
// Front-end removes cookie/token, but server token remains valid
localStorage.removeItem('token');
```

**Correct (server-side invalidation):**

```csharp
[HttpPost]
public async Task<IActionResult> Logout()
{
    // Cookie Auth
    await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
    
    // JWT - Add current token to revocation list / blacklist (Redis/DB)
    var token = await HttpContext.GetTokenAsync("access_token");
    await _tokenBlacklistService.RevokeAsync(token);
    
    return Ok();
}
```

**Tools:** Identity Framework, Manual Review