web application – mORMot 1.18 doesn’t invalidate session_signature after logout? is this the default behaviour?

On a website which uses mORMot 1.18 every request made by an authenticated user is in this format:

../search_items?session_signature=0000004C000F6DD02E24541C as reported within the framework docs

Here is typical signature to access the root URL


In this case, 0000004C is the Session ID, 000F6BE3 is the client time
stamp (aka nonce), and 65D8D454 is the signature, checked by the
following Delphi expression:


For instance, a RESTful GET of the TSQLRecordPeople table with RowID=6
will have the following URI:


I tried the following:

  1. authenticate as userA, send a request which shows sensitive content. Save session_signature=A value.
  2. perform the logout
  3. login again as userA in order to have a new session_signature=B which shoud invalidate the first one
  4. logout and send again the request with the session_signature=A
  5. the old session_signature value worked.

Is this the default behavior of mORMot or is a misconfiguration? Should I consider it a session management misconfiguration since the value of session_signature is not invalidated?