3.3.1 Logout and expiration invalidate the session token

Verify that logout and expiration invalidate the session token, such that the back button or a downstream relying party does not resume an authenticated session, including across relying parties. (C6)

Level 1 X
Level 2 X
Level 3 X
CWE NIST
613 7.1

General

If a session can still be used after logging out then the lifetime of the session is increased and that gives third parties that may have intercepted the session token more (or perhaps infinite, if no absolute session expiry happens) time to impersonate a user. One quick way to test this is to log in, get the session token from the cookie, log out, then manually add the session cookie with the session token and see if you are still logged in.

PHP

Look for session_destroy in the logout functionality.

Symfony

This is a setting in security.yml:

invalidate_session: true

used by the default session controls.

Drupal

Drupal does this by default for /user/logout, but be wary of custom frontend logins!