following logout requests should not be counted as failed login
logout requests should not count up failcount!
but we cannot detect them for requests if there exists no session (because logout was already done) from which we can get the pass_hash from.
adding a list of already used logout passwords can fix this. but they should expire after some time. (after an unused time of the lo