diff --git a/src/qlik.mjs b/src/qlik.mjs
index bd41e1e..55f778c 100644
--- a/src/qlik.mjs
+++ b/src/qlik.mjs
@@ -10,6 +10,7 @@ const certsPath = process.env.QLIK_CERTS_PATH
 
 const xrfKey = process.env.QLIK_XRFKEY || "abcdefghijklmnop";
 
+// https://undici.nodejs.org/#/docs/best-practices/client-certificate.md
 const dispatcher = new Agent({
     connect: {
         rejectUnauthorized: false, // allow self-signed certificates
diff --git a/src/routes/auth.mjs b/src/routes/auth.mjs
index fef7f20..d51167d 100644
--- a/src/routes/auth.mjs
+++ b/src/routes/auth.mjs
@@ -24,8 +24,10 @@ authRouter.get("/logout/:userdir/:user", async (req, res) => {
     if (!redirect) return res.sendStatus(400); // Bad request
 
     if (req.session.user) {
-        req.session = null; // https://expressjs.com/en/resources/middleware/session.html#unset
-        await deleteUserAndSessions(req.session.provider, req.session.user);
+        const { provider, user } = req.session;
+        // https://expressjs.com/en/resources/middleware/session.html#unset
+        req.session = null;
+        await deleteUserAndSessions(provider, user);
     }
 
     res.redirect(redirect);