Your assumption is absolutely right, you cannot invalidate a session on the server is treated like an unauthenticated request, and you prompt for login again..