Hmm I wonder if this is a caching issue. It seems to be working on our part and no data is ever loaded. If you'd be willing to talk through a bit further I'd love to. brayden [at] outerbase [dot] com.
Assuming you use a token similar to JWT , then redirects and removing the token from the client don’t matter if you don’t blacklist the token on the backend, which if they were able to continue by hitting the back button seems the case. This does require you to keep a database of “logged-out” tokens and reject them, and occasionally run a cleanup script on the db to prune tokens from that table after they would have expired, but that’s what is required when you use auth tokens for login.
Appreciate your taking the time to give us this suggestion -- but to clarify, we do revoke the token :D
From the screenshot that was provided, they're seeing the client render a page, but it's failing to acquire any data from the API. If they opened the network inspector they'd likely see that the requests are 401'ing after logging out.
I'm not pretending that this is good UX -- it's not -- but it's not evidence of a security issue. That said, we have every intention of nailing down fantastic UX as quickly as possible. (I'm a recent addition to the company but) it pains me personally for anyone to see any mistakes and I hope to impress you soon.