I’m not sure if this is related to rememberLastLogin or not (if so, then setting it to false does not produce the desired results). I’m assuming that a remembered login state is managed through a cookie? If so, can that cookie be set to expire with the session? The problem is that there is no way to prevent the user from closing the browser without logging out (yes, I can catch that event and warn them, but they can override it). When that happens, the user remains in a logged in state, so that they (or someone else) can just go back to the SPA and find themselves still logged in. This is a pretty serious security hole. By the way, the same thing happens if I log into auth0.com and just close the browser without logging out.