web application – mORMot 1.18 doesn’t invalidate session_signature after logout? is this the default behaviour?

On a website which uses mORMot 1.18 every request made by an authenticated user is in this format:

../search_items?session_signature=0000004C000F6DD02E24541C as reported within the framework docs

Here is typical signature to access the root URL

root?session_signature=0000004C000F6BE365D8D454

In this case, 0000004C is the Session ID, 000F6BE3 is the client time
stamp (aka nonce), and 65D8D454 is the signature, checked by the
following Delphi expression:

(crc32(crc32(fPrivateSaltHash,PTimeStamp,8),pointer(aURL),aURLlength)=aSignature);

For instance, a RESTful GET of the TSQLRecordPeople table with RowID=6
will have the following URI:

root/People/6?session_signature=0000004C000F6DD02E24541C

I tried the following:

  1. authenticate as userA, send a request which shows sensitive content. Save session_signature=A value.
  2. perform the logout
  3. login again as userA in order to have a new session_signature=B which shoud invalidate the first one
  4. logout and send again the request with the session_signature=A
  5. the old session_signature value worked.

Is this the default behavior of mORMot or is a misconfiguration? Should I consider it a session management misconfiguration since the value of session_signature is not invalidated?