Riekvanzanten

**Name of the Vulnerable Software and Affected Versions** Directus versions prior to 10.11.0 **Description** The issue concerns session tokens that do not get properly invalidated when a user logs out. Specifically, the `directus session` is destroyed, and the cookie is deleted, but if the cookie value is captured, it remains valid for its entire expiry time, which is set to 1 day by default. This effectively turns the session token into a long-lived, unrevokable stateless token instead of the intended stateful session token. **Recommendations** For versions prior to 10.11.0, update to version 10.11.0 to fix the issue. As a temporary workaround, consider implementing additional checks to ensure that leaked tokens are not valid indefinitely, such as verifying the existence and expiration status of the associated `directus session` when authenticating a session token JWT.