private void TokenLogout(string accessHeadAndPayload, TokenManager tokenManager, HttpContextBase context)
        {
            if (!String.IsNullOrWhiteSpace(accessHeadAndPayload))
            {
                var authCookie = CookieHelper.GetCookie(context.Request, AccessSignatureCookieName);
                if (authCookie == null)
                {
                    throw new UnauthorizedAccessException("Missing access cookie.");
                }

                var accessSignature = authCookie.Value;
                var principal       = tokenManager.ValidateToken(accessHeadAndPayload + "." + accessSignature, false);
                if (principal == null)
                {
                    throw new UnauthorizedAccessException("Invalid access token.");
                }

                bool.TryParse(AuthenticationHelper.GetRequestParameterValue(context, "ultimateLogout"), out var ultimateLogout);

                // ultimately log out only if the user has not been logged out already, if he has, just a local logout executes
                if (ultimateLogout || Configuration.Security.DefaultUltimateLogout)
                {
                    ultimateLogout = !UserHasLoggedOut(tokenManager, principal.Identity.Name, accessHeadAndPayload, out var portalPrincipal);
                    using (AuthenticationHelper.GetSystemAccount())
                    {
                        context.User = portalPrincipal;
                    }
                }

                _logoutExecutor?.Logout(ultimateLogout);

                CookieHelper.DeleteCookie(context.Response, AccessSignatureCookieName);
                CookieHelper.DeleteCookie(context.Response, AccessHeadAndPayloadCookieName);
                CookieHelper.DeleteCookie(context.Response, RefreshSignatureCookieName);
                context.Response.StatusCode = HttpResponseStatusCode.Ok;
            }
        }