On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns Authorization as the front-end authentication credential. Authorization can still initiate requests and access data even after logout.
Mitigation:
all users should upgrade to 2.1.4
According to WASC, “Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.”