It sounds like what you’re doing is copying the cookie value, logging out on the client, and then making requests to the API manually using that cookie value, is that correct?
There is no “session” on the server to expire: it decrypts the value in the cookie and, if it’s valid, allows you to make GraphQL requests. The value that was in the cookie still decrypts properly, so the API considers it a valid request, whether or not it came from the browser.
If you needed to disallow a user to make requests (they get banned, for example) you would need to add a field to the database and then check it in the api/src/lib/auth.js function getCurrentUser(). If the user should no longer have access, return null and they’ll be considered the same as a logged out request.
It’s really no different than having an API key that a user can use to make requests: that API is good “forever” unless you take additional steps to limit its usage. This is the same as our other authentication providers that save a JST to LocalStorage: if you were to copy the value out of LocalStorage, log out, but provide the JST in the Authentication header, the request to the server would be considered valid.
Are you worried that a bad actor will somehow get your cookie from your machine and continue to make requests as you after logging out? This would be much less likely by using SSL and making the cookie secure.