diff --git a/auth.php b/auth.php
index 28c6d60..ca2403b 100644
--- a/auth.php
+++ b/auth.php
@@ -99,10 +99,13 @@ if ($userRole !== false) {
         // Generate a secure random token.
         $token = bin2hex(random_bytes(32));
         $expiry = time() + (30 * 24 * 60 * 60); // 30 days
+
         // Load existing persistent tokens.
         $persistentTokens = [];
         if (file_exists($persistentTokensFile)) {
-            $persistentTokens = json_decode(file_get_contents($persistentTokensFile), true);
+            $encryptedContent = file_get_contents($persistentTokensFile);
+            $decryptedContent = decryptData($encryptedContent, $encryptionKey);
+            $persistentTokens = json_decode($decryptedContent, true);
             if (!is_array($persistentTokens)) {
                 $persistentTokens = [];
             }
@@ -110,9 +113,10 @@ if ($userRole !== false) {
         // Save token along with username and expiry.
         $persistentTokens[$token] = [
             "username" => $username,
-            "expiry" => $expiry
+            "expiry"   => $expiry
         ];
-        file_put_contents($persistentTokensFile, json_encode($persistentTokens, JSON_PRETTY_PRINT));
+        $encryptedContent = encryptData(json_encode($persistentTokens, JSON_PRETTY_PRINT), $encryptionKey);
+        file_put_contents($persistentTokensFile, $encryptedContent, LOCK_EX);
         // Set the cookie. (Assuming $secure is defined in config.php.)
         setcookie('remember_me_token', $token, $expiry, '/', '', $secure, true);
     }
diff --git a/config.php b/config.php
index c9af650..4fc1a01 100644
--- a/config.php
+++ b/config.php
@@ -1,6 +1,57 @@
 <?php
 // config.php
 
+// Define constants first.
+define('UPLOAD_DIR', '/var/www/uploads/');
+define('USERS_DIR', '/var/www/users/');
+define('USERS_FILE', 'users.txt');
+define('META_DIR', '/var/www/metadata/');
+define('META_FILE', 'file_metadata.json');
+define('TRASH_DIR', UPLOAD_DIR . 'trash/');
+define('TIMEZONE', 'America/New_York');
+define('DATE_TIME_FORMAT', 'm/d/y  h:iA');
+define('TOTAL_UPLOAD_SIZE', '5G');
+
+// Set the default timezone.
+date_default_timezone_set(TIMEZONE);
+
+/**
+ * Encrypts data using AES-256-CBC.
+ *
+ * @param string $data          The plaintext data.
+ * @param string $encryptionKey The secret encryption key.
+ * @return string               Base64-encoded string containing IV and ciphertext.
+ */
+function encryptData($data, $encryptionKey) {
+    $cipher = 'AES-256-CBC';
+    $ivlen = openssl_cipher_iv_length($cipher);
+    $iv = openssl_random_pseudo_bytes($ivlen);
+    $ciphertext = openssl_encrypt($data, $cipher, $encryptionKey, OPENSSL_RAW_DATA, $iv);
+    return base64_encode($iv . $ciphertext);
+}
+
+/**
+ * Decrypts data encrypted with AES-256-CBC.
+ *
+ * @param string $encryptedData The Base64-encoded data containing IV and ciphertext.
+ * @param string $encryptionKey The secret encryption key.
+ * @return string|false         The decrypted plaintext or false on failure.
+ */
+function decryptData($encryptedData, $encryptionKey) {
+    $cipher = 'AES-256-CBC';
+    $data = base64_decode($encryptedData);
+    $ivlen = openssl_cipher_iv_length($cipher);
+    $iv = substr($data, 0, $ivlen);
+    $ciphertext = substr($data, $ivlen);
+    return openssl_decrypt($ciphertext, $cipher, $encryptionKey, OPENSSL_RAW_DATA, $iv);
+}
+
+// Load encryption key from an environment variable (default for testing; override in production)
+$encryptionKey = getenv('PERSISTENT_TOKENS_KEY') ?: 'default_please_change_this_key';
+if (!$encryptionKey) {
+    die('Encryption key for persistent tokens is not set.');
+}
+
 // Allow an environment variable to override HTTPS detection.
 $envSecure = getenv('SECURE');
 if ($envSecure !== false) {
@@ -23,6 +74,7 @@ session_set_cookie_params($cookieParams);
 ini_set('session.gc_maxlifetime', 7200);
 session_start();
 
+// Generate CSRF token if not already set.
 if (empty($_SESSION['csrf_token'])) {
     $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
 }
@@ -30,22 +82,29 @@ if (empty($_SESSION['csrf_token'])) {
 // Auto-login via persistent token if session is not active.
 if (!isset($_SESSION["authenticated"]) && isset($_COOKIE['remember_me_token'])) {
     $persistentTokensFile = USERS_DIR . 'persistent_tokens.json';
+    $persistentTokens = [];
     if (file_exists($persistentTokensFile)) {
-        $persistentTokens = json_decode(file_get_contents($persistentTokensFile), true);
-        if (is_array($persistentTokens) && isset($persistentTokens[$_COOKIE['remember_me_token']])) {
-            $tokenData = $persistentTokens[$_COOKIE['remember_me_token']];
-            if ($tokenData['expiry'] >= time()) {
-                // Token is valid; auto-authenticate the user.
-                $_SESSION["authenticated"] = true;
-                $_SESSION["username"] = $tokenData["username"];
-                // Optionally, set admin status if stored in token data:
-                // $_SESSION["isAdmin"] = $tokenData["isAdmin"];
-            } else {
-                // Token expired; remove it and clear the cookie.
-                unset($persistentTokens[$_COOKIE['remember_me_token']]);
-                file_put_contents($persistentTokensFile, json_encode($persistentTokens, JSON_PRETTY_PRINT));
-                setcookie('remember_me_token', '', time() - 3600, '/', '', $secure, true);
-            }
+        $encryptedContent = file_get_contents($persistentTokensFile);
+        $decryptedContent = decryptData($encryptedContent, $encryptionKey);
+        $persistentTokens = json_decode($decryptedContent, true);
+        if (!is_array($persistentTokens)) {
+            $persistentTokens = [];
+        }
+    }
+    if (is_array($persistentTokens) && isset($persistentTokens[$_COOKIE['remember_me_token']])) {
+        $tokenData = $persistentTokens[$_COOKIE['remember_me_token']];
+        if ($tokenData['expiry'] >= time()) {
+            // Token is valid; auto-authenticate the user.
+            $_SESSION["authenticated"] = true;
+            $_SESSION["username"] = $tokenData["username"];
+            // Optionally, set admin status if stored in token data:
+            // $_SESSION["isAdmin"] = $tokenData["isAdmin"];
+        } else {
+            // Token expired; remove it and clear the cookie.
+            unset($persistentTokens[$_COOKIE['remember_me_token']]);
+            $newEncryptedContent = encryptData(json_encode($persistentTokens, JSON_PRETTY_PRINT), $encryptionKey);
+            file_put_contents($persistentTokensFile, $newEncryptedContent, LOCK_EX);
+            setcookie('remember_me_token', '', time() - 3600, '/', '', $secure, true);
         }
     }
 }
@@ -64,15 +123,4 @@ if (strpos(BASE_URL, 'yourwebsite') !== false) {
 }
 
 define('SHARE_URL', getenv('SHARE_URL') ? getenv('SHARE_URL') : $defaultShareUrl);
-
-define('UPLOAD_DIR', '/var/www/uploads/');
-define('TIMEZONE', 'America/New_York');
-define('DATE_TIME_FORMAT', 'm/d/y  h:iA');
-define('TOTAL_UPLOAD_SIZE', '5G');
-define('USERS_DIR', '/var/www/users/');
-define('USERS_FILE', 'users.txt');
-define('META_DIR','/var/www/metadata/');
-define('META_FILE','file_metadata.json');
-define('TRASH_DIR', UPLOAD_DIR . 'trash/');
-date_default_timezone_set(TIMEZONE);
 ?>
\ No newline at end of file
diff --git a/logout.php b/logout.php
index 9c0a251..a210e21 100644
--- a/logout.php
+++ b/logout.php
@@ -1,17 +1,36 @@
 <?php
-session_start();
+require 'config.php';
+
+// Retrieve headers and check CSRF token.
 $headers = array_change_key_case(getallheaders(), CASE_LOWER);
 $receivedToken = isset($headers['x-csrf-token']) ? trim($headers['x-csrf-token']) : '';
 
-// Fallback: If a CSRF token exists in the session and doesn't match the one provided,
-// log the mismatch but proceed with logout.
+// If there's a mismatch, log it but continue with logout.
 if (isset($_SESSION['csrf_token']) && $receivedToken !== $_SESSION['csrf_token']) {
-    // Optionally log this event:
     error_log("CSRF token mismatch on logout. Proceeding with logout.");
 }
 
-$_SESSION = []; // Clear session data
-session_destroy(); // Destroy session
+// If the remember me token is set, remove it from the persistent tokens file.
+if (isset($_COOKIE['remember_me_token'])) {
+    $token = $_COOKIE['remember_me_token'];
+    $persistentTokensFile = USERS_DIR . 'persistent_tokens.json';
+    if (file_exists($persistentTokensFile)) {
+        $encryptedContent = file_get_contents($persistentTokensFile);
+        $decryptedContent = decryptData($encryptedContent, $encryptionKey);
+        $persistentTokens = json_decode($decryptedContent, true);
+        if (is_array($persistentTokens) && isset($persistentTokens[$token])) {
+            unset($persistentTokens[$token]);
+            $newEncryptedContent = encryptData(json_encode($persistentTokens, JSON_PRETTY_PRINT), $encryptionKey);
+            file_put_contents($persistentTokensFile, $newEncryptedContent, LOCK_EX);
+        }
+    }
+    // Clear the cookie.
+    setcookie('remember_me_token', '', time() - 3600, '/', '', $secure, true);
+}
+
+// Clear session data and destroy the session.
+$_SESSION = [];
+session_destroy();
 
 header('Content-Type: application/json');
 echo json_encode(["success" => "Logged out"]);
diff --git a/networkUtils.js b/networkUtils.js
index c3e579d..90f42fe 100644
--- a/networkUtils.js
+++ b/networkUtils.js
@@ -1,4 +1,3 @@
-// networkUtils.js
 export function sendRequest(url, method = "GET", data = null) {
   console.log("Sending request to:", url, "with method:", method);
   const options = {
@@ -24,9 +23,11 @@ export function sendRequest(url, method = "GET", data = null) {
           throw new Error(`HTTP error ${response.status}: ${text}`);
         });
       }
+      // Clone the response so we can safely fall back if JSON parsing fails.
+      const clonedResponse = response.clone();
       return response.json().catch(() => {
         console.warn("Response is not JSON, returning as text");
-        return response.text();
+        return clonedResponse.text();
       });
     });
 }
\ No newline at end of file