Implicit Refreshing With Cookies example has a bug

[bokolob]

There is a possible conflict between logout and token prolongation. In the actual example, a new access cookie could be set after the logout request.

[vimalloc]

That's interesting. Thanks for catching that. It should be really easy to add an extra guard for that, I'll take a look at updating some stuff in the example to prevent that when I have some time. Two options to fix this off the top of my head:

• We should be able to look at the cookies being set on the response, and not refresh the jwt if there is already an unset cookie present.
• We can look at the request and do not do implicit refreshing if it's the logout endpoint that is being hit.