After logging out from a session in our laravel+inertiajs application, and confirming that the $request->session()->invalidate(); is called, the session cookies previously used (which should be invalidated now) can still be used to send requests to our API. Does anyone have an idea on how to fix this?