When a customer logs in, your app hands them a small digital key, usually called a token, that their browser presents on every request to prove who they are without retyping the password again and again. It is a convenience that makes the whole app usable. Built without care, it is also one of the easiest things to get quietly wrong.

A key that outlives its welcome

Two failures matter here, and neither announces itself. The first is a key that can be forged, where the app accepts a pass without properly checking that your own system issued it. The second is a key that keeps working forever, still valid long after the customer logged out or changed their password.

Imagine a customer whose key gets copied from a shared computer they used once. If that key never expires, and logging out did not truly cancel it, whoever holds it has a standing pass into that account, and nothing the customer does from their side takes it away. The account stays reachable, indefinitely, and no error ever appears to warn anyone.

Tell your AI: "Walk me through how our login key is checked and how long it stays valid. I want to know what happens to it after a customer logs out or changes their password."

Refuse forgeries, and keep the key short-lived

The first fix is to make the app strict about what it accepts. Every key carries a signature that proves it came from you. If a key turns up with no valid signature, or is signed the wrong way, the app has to refuse it outright rather than giving it the benefit of the doubt. A forged pass should get nowhere.

The second is to stop issuing keys that last for weeks. A key should be good for minutes, then quietly renewed in the background while the customer keeps working, so they never notice. Each renewal retires the one before it. That way a key someone managed to copy has gone dead on its own before it is any use to them.

Tell your AI: "Reject any token with a missing or wrong signature. Make tokens expire in minutes and renew silently in the background, with each renewal invalidating the previous one."

Logging out has to mean something

The last piece is logout. In a lot of apps, logging out only clears the key from the browser and leaves the matching session alive on your server, which means the key itself still works if anyone kept a copy. Real logout has to reach your side and cancel the session there, so the key genuinely stops being accepted from that moment on.

The whole point is simple. When a customer leaves, the login should shut behind them and stay shut, whether they left by signing out or by changing a password they no longer trust.

Tell your AI: "Make logout cancel the session on the server, not just clear the browser, so the token truly stops working the moment someone signs out or changes their password."