Step back
You haven’t provided much details on how authentication is performed in your application, and it’s hard to guess what you are doing.
However, it is important to note that in REST applications there should be no session state stored on the server side. Instead, session state should be fully handled by the client.
But what is the problem with server side sessions? They have stateful status, and they break the REST restriction on non-residents (read on for more information), therefore this is not REST.
Restriction without saving
According to Roy T. Fielding dissertation , a REST constraint without persistence is defined as follows:
5.1.3 stateless
[...] each request from the client to the server must contain all the information necessary for understanding the request, and cannot use any stored context on the server. Thus, the state of the session is fully maintained by the client. [...]
When accessing secure resources that require authentication, for example, each request must contain all the necessary data for proper authentication / authorization. And the authentication data must belong to standard HTTP Authorization . From RFC 7235 :
4.2. Login
The Authorization header field allows the user authenticator itself with the origin server - usually, but not necessarily, after receiving a 401 response (unauthorized). Its value consists of credentials containing agent user authentication information for the requested resource area. [...]
Completion
REST is stateless. There is no login or logout in the sense of a session. Each request for a resource that requires authentication must have authentication data. And the session state is stored on the client side, not on the server.