When a user logs out and hits the back button, browsers restore the previous page state, including localStorage values. That's why your token "reappears" despite clearing it.

During logout, record a timestamp of when the user logged out In your auth check, verify that any token was created AFTER the most recent logout Modify browser history using replaceState to prevent returning to authenticated states Consider using sessionStorage instead of localStorage

This timestamp approach ensures that even if old tokens reappear due to browser navigation, they'll fail validation because they were created before the last logout.