It might be worth mentioning in Sessions.md or Logout.md that:
$self->session(expires => 1);
expires the cookie on the client side but does not invalidate any existing cookies.
(At least, not according to my 2 mins of testing just now; but that behaviour is consistent with session storage not being tracked server-side.)
A cookie obtained prior to logout could be stuffed back into the browser and used to access the application as the authenticated user, as long as the cookie hadn't expired in the meantime. This behaviour runs contrary to the expectation of the user, who has explicitly logged-out, and may not be acceptable to the security requirements of some organisations. (See OWASP Session Management Cheat Sheet.)
In comparison, because MojoX::Session has a server-side component to session management, it should be possible to clear the server-stored session upon logout as well as clearing the client-side cookie. (Disclaimer: I haven't stepped through this.) Having done so, even if a non-expired valid cookie is presented to the application after logout, there's no server-side session state for the cookie to match and so the application should treat the request as being unauthenticated/unauthorized.
It might be worth mentioning in Sessions.md or Logout.md that:
$self->session(expires => 1);expires the cookie on the client side but does not invalidate any existing cookies. (At least, not according to my 2 mins of testing just now; but that behaviour is consistent with session storage not being tracked server-side.)A cookie obtained prior to logout could be stuffed back into the browser and used to access the application as the authenticated user, as long as the cookie hadn't expired in the meantime. This behaviour runs contrary to the expectation of the user, who has explicitly logged-out, and may not be acceptable to the security requirements of some organisations. (See OWASP Session Management Cheat Sheet.)
In comparison, because MojoX::Session has a server-side component to session management, it should be possible to clear the server-stored session upon logout as well as clearing the client-side cookie. (Disclaimer: I haven't stepped through this.) Having done so, even if a non-expired valid cookie is presented to the application after logout, there's no server-side session state for the cookie to match and so the application should treat the request as being unauthenticated/unauthorized.