diff --git a/app/routers/auth.py b/app/routers/auth.py
index 05e3de1..e567aa4 100644
--- a/app/routers/auth.py
+++ b/app/routers/auth.py
@@ -284,9 +284,32 @@ async def verify_resend(
 # ---------------------------------------------------------------------------
 
 
+_LOGOUT_HTML = """<!doctype html><html lang="en"><head>
+<meta charset="utf-8">
+<title>Signing out…</title>
+<meta http-equiv="refresh" content="0;url=/login">
+<script>
+// Wipe per-user browser state before the redirect. Keeps `cassandra.theme`
+// (cosmetic, no privacy concern) so the next user's first paint isn't a
+// white-flash. The meta-refresh above is the no-JS fallback for the redirect;
+// without JS, localStorage isn't cleared, but base.html's user-mismatch
+// guard catches the next authenticated page load.
+(function() {
+  try {
+    var theme = localStorage.getItem('cassandra.theme');
+    localStorage.clear();
+    if (theme) localStorage.setItem('cassandra.theme', theme);
+    sessionStorage.clear();
+  } catch (e) {}
+  window.location.replace('/login');
+})();
+</script>
+</head><body>Signing out&hellip;</body></html>"""
+
+
 @router.post("/logout")
 async def logout(request: Request):
-    resp = RedirectResponse(url="/login", status_code=303)
+    resp = HTMLResponse(content=_LOGOUT_HTML)
     resp.delete_cookie(SESSION_COOKIE_NAME, path="/")
     _clear_pending_cookie(resp)
     return resp
diff --git a/app/templates/base.html b/app/templates/base.html
index aec5c88..9fdb0d1 100644
--- a/app/templates/base.html
+++ b/app/templates/base.html
@@ -4,6 +4,29 @@
   <meta charset="UTF-8" />
   <meta name="viewport" content="width=device-width, initial-scale=1.0" />
   <title>{% block title %}{{ BRAND_NAME }}{% endblock %}</title>
+  {# Cross-user contamination guard.
+
+     localStorage is browser-wide; if User A uploads a portfolio and User B
+     logs in on the same browser, the stale `cassandra.pie` would otherwise
+     render as User B's holdings. We stamp the logged-in user's id in
+     localStorage on every authenticated page load and wipe per-user keys
+     if the id changed since last time. Theme stays — it's cosmetic. #}
+  <script>
+    (function() {
+      try {
+        var current = "{{ cu.user.id if cu and cu.user else '' }}";
+        if (!current) return;
+        var last = localStorage.getItem('cassandra.user_id') || '';
+        if (last && last !== current) {
+          var theme = localStorage.getItem('cassandra.theme');
+          localStorage.clear();
+          if (theme) localStorage.setItem('cassandra.theme', theme);
+          try { sessionStorage.clear(); } catch (e) {}
+        }
+        localStorage.setItem('cassandra.user_id', current);
+      } catch (e) {}
+    })();
+  </script>
   {# Apply saved theme before stylesheet renders to avoid a flash. #}
   <script>
     (function() {