Api.access.deny in Post-Login Action does not Clear Session

Problem statement

This article explains why using api.access.deny in a post-login action does not clear the session.

Solution

This is intended behavior. The post-login action is executed after authentication. When the action is executed, the user has successfully authenticated, and a session has been established. The api.access.deny function applies only to the current transaction and prevents the issuing of the access token.