I think adding a real 401 page may have broken session timeouts, which were relying on redirecting to the sign out page on unauthorized via the controller method, but the controller method now renders a 401.

Audit all uses of controller functions and probably add a dedicated one to force sign out.

/assign