Exactly - they can close the session, but keep the authentication token. Thanks for pushing on this - as wila mentioned, it's really annoying that you can start to reply when not logged in, and then lose the text you've written when it prompts you to authenticate.