Symfony version(s) affected: 4.4.5

Description
Logout success_handler is called before the actual logout happens.

Here's the problem:
https://github.com/symfony/symfony/blob/4.4/src/Symfony/Component/Security/Http/Firewall/LogoutListener.php#L95

The Response is created too early, since the actual logout is only happening below.

Reference at https://symfony.com/doc/4.4/reference/configuration/security.html#success-handler is saying that this is for "handling a successful logout." (Which is also in line with my understanding of a "success handler" and the semantics of onLogoutSuccess.) But this is not the case, cause until it has actually happened, there is no successful logout (but merely a pending logout).

So I'm suggesting to move $this->tokenStorage->setToken(null); https://github.com/symfony/symfony/blob/4.4/src/Symfony/Component/Security/Http/Firewall/LogoutListener.php#L107 above the $response = ... line.