1. Logout is better called in a POST request (avoids caching in most situations + avoids weird CSRF "logout attacks", i.e. can't be logged out by clicking on an email link)
2. We should wait for logout to complete before mutating the user, otherwise some weird race conditions might prevent swr to catch the right logged out state
This example creates an authentication system that uses a **signed and encrypted cookie to store session data**. It relies on [`next-iron-session`](https://github.com/vvo/next-iron-session).
It uses current best practices as for authentication in the Next.js ecosystem:
1. **no `getInitialProps`** to ensure every page is static
2. **`useUser` hook** together with [`swr`](https://swr.now.sh/) for data fetching
Features:
- Logged in status synchronized between browser windows/tabs
- Layout based on logged in status
- All pages are static
- Session data is signed and encrypted in a cookie