The ensure_logout functionality does not work in combination with a CSRF token as the controller invalidates the session before validating the form, hence the form is always invalid. Should be an easy fix.