We are seeing an issue where the Session isn't being abandoned in DNN. I'm not sure if this is was a 4.5.x issue as we upgraded a while ago to 5.x and maybe referencing an older control.
The login/logoff control we are referencing in our module is DotNetNuke.UI.Skins.Controls.Login located in path DNN_Web_Root/admin/Skins/login.ascx
In there it looks like it does a redirect to logoff.aspx which then goes through the LogoffHttpHandler, which then goes somewhere to complete the logoff process however I cannot find where that process is to see if Session.Abandon is being called.
Can anyone answer the following:
Logoff is normally handled by Desktopmodules\Admin\Authentication\Logoff.ascx. The main action is to clear the authentication cookie, along with a few other cookies and some user specific cached data.
DotNetNuke NEVER uses Session for anything and does not clear Session during a log off.