i read your blog posts regarding session management and it mentioned invalidating both the refresh token as well as access tokens (jwt) when a user logs out