There are several existing feature requests and forum posts, but it still needs correction.
It is not enough to have security authentication tokens expire after 24 hours. The current recommendation seems to be to drop them and hope they aren't accidentally reused, or worse, maliciously replayed or stolen. The fact that we cannot expressly invalidate them remains an enormous security flaw.
There needs to be a logout function to explicitly declare "this session is over" and invalidate the token.