Secure logout and account confirmation workflows

Authentication workflows such as logout and account confirmation are security-sensitive operations that must be handled with care. Currently, logout may not fully invalidate sessions or tokens, and account confirmation flows (email verification, password reset) may lack adequate security controls. This issue addresses both workflows to ensure they are hardened against session hijacking, token reuse, and enumeration attacks.