diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c
index 5670e594..5b288eab 100644
--- a/src/openvpn/manage.c
+++ b/src/openvpn/manage.c
@@ -762,6 +762,7 @@ static void
 man_forget_passwords(struct management *man)
 {
     ssl_purge_auth(false);
+    (void)ssl_clean_auth_token();
     msg(M_CLIENT, "SUCCESS: Passwords were forgotten");
 }
 
@@ -1922,6 +1923,7 @@ man_reset_client_socket(struct management *man, const bool exiting)
         if (man->settings.flags & MF_FORGET_DISCONNECT)
         {
             ssl_purge_auth(false);
+            (void)ssl_clean_auth_token();
         }
 
         if (man->settings.flags & MF_SIGNAL)
diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h
index 9ae6ae8f..94137b23 100644
--- a/src/openvpn/ssl.h
+++ b/src/openvpn/ssl.h
@@ -390,6 +390,7 @@ void ssl_set_auth_nocache(void);
 /*
  * Purge any stored authentication information, both for key files and tunnel
  * authentication. If PCKS #11 is enabled, purge authentication for that too.
+ * Note that auth_token is not cleared.
  */
 void ssl_purge_auth(const bool auth_user_pass_only);