Shopware Improper Session Handling in store-api account logout

Impact

When a authentificated request is made to POST /store-api/account/logout, the cart will be cleared, but the User won’t be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on CustomerLogoutEvent and invalidates the session additionally.

Patches

The problem has been fixed with Shopware 6.6.1.0 and 6.5.8.8.

Workarounds

When you are not able to update, you can install the latest version of the Shopware Security Plugin.