In an APP context, when the client invokes DELETE on SessionView, a new empty and useless session is created in the session store and an associated session token is present in the response. Because this new session is empty, it can't be used to authenticate, so fortunately there isn't any security issue related to this.

In short, the following test fails:

def test_logout_no_token(app_client, user):
    app_client.force_login(user)
    resp = app_client.get(reverse("headless:app:account:current_session"))
    assert resp.status_code == 200
    resp = app_client.delete(reverse("headless:app:account:current_session"))
    assert resp.status_code == 401
    assert "session_token" not in resp.json()["meta"]

The problem is that Django's logout() function flushes the session which sets session.modified = True, but expose_session_token() attempts to create a new session token if session.modified = True. A simple fix would be to also check if the session data is empty.