fix: [security] destroy session on logout

- As reported by Matúš Mikuláš, Adam Gajdošík, Milan Pikula of SK-CERT

src/Controller/UsersController.php

@@ -384,6 +384,7 @@ class UsersController extends AppController
             if (Configure::read('keycloak.enabled')) {
                 $this->redirect($this->Users->keyCloaklogout());
             }
+            $this->request->getSession()->destroy();
             return $this->redirect(\Cake\Routing\Router::url('/users/login'));
         }
     }