[can16358p]

There might be some sensitive applications where server might want to immediately revoke credentials server-side though.

[meindnoch]

And what will this hyper-sensitive application do if I yank the power cable from the computer? Or if I quit the browser with kill -9?

See, this is one of those "features" that clueless PMs ask their developers to implement, not having the technical knowledge to realize that their idea is unsalvageable. My other favorite is email address "validation" with ad hoc string format checks.

[can16358p]

It's just an extra measure, not protecting the server from a malicious user, but an honest user's potential mismanagement of credentials.