Save data to session, then log out. One logout endpoint leaves the session intact. The other properly flushes it. Find which logout is broken — and verify by reading the session afterwards.
Session fixation and improper session invalidation are common auth bugs. When a user logs out, the server must call session.flush() to destroy the session data and regenerate the session ID. Skipping this step means an attacker who obtained the session cookie can still access the account.
| Setup | Save a name to the session |
| Bug | Logout (buggy) — session is NOT flushed, data still readable after "logout" |
| Correct | Logout (correct) — session is flushed, data is gone |
| Verify | Read session after logout to confirm which behaviour occurred |
Logout (Buggy) and try to read the sessionLogout (Correct) and verify the session is cleared