I'm surprised that this issue is being raised now. It seems like it should have been obvious.
It looks like a fundamental design problem with a client side token... You can limit intrusions by adding an expires_at value to the cookie data. But I don't see any way to actually expire a token without some server side tracking.
It looks like a fundamental design problem with a client side token... You can limit intrusions by adding an expires_at value to the cookie data. But I don't see any way to actually expire a token without some server side tracking.