---
title: Invalidate Session On Logout
impact: MEDIUM
impactDescription: ensures logout actually terminates access
tags: session, logout, invalidation, security
---

## Invalidate Session On Logout

If sessions/tokens persist after logout, they can be stolen and used by attackers.

**Incorrect (client-only logout):**

```go
// Server doesn't invalidate session - just returns success
func LogoutHandler(w http.ResponseWriter, r *http.Request) {
    w.WriteHeader(http.StatusOK) // Token/Session still valid on server!
}
```

**Correct (server-side invalidation):**

```go
func LogoutHandler(w http.ResponseWriter, r *http.Request) {
    // 1. Destroy server-side session (e.g., in Redis)
    sessionID := getSessionID(r)
    sessionStore.Delete(sessionID)
    
    // 2. Clear cookie
    cookie := &http.Cookie{
        Name:     "session",
        Value:    "",
        Path:     "/",
        HttpOnly: true,
        Secure:   true,
        MaxAge:   -1, // Delete immediately
    }
    http.SetCookie(w, cookie)
    
    // 3. Prevent caching of sensitive logout confirmation
    w.Header().Set("Cache-Control", "no-store, no-cache, must-revalidate")
    w.WriteHeader(http.StatusOK)
}
```

**Tools:** Session management libraries, JWT Blacklisting
