The reason this error is reported by a number of different test and site check systems - is that DNN does not null out the sessionid on logout.
I seem to recall some time back that there was a JIRA request for this to be added to the core - but that it was closed with no action. With the reason being that because of how DNN works there is NO attack risk since dnn does not use the session id for its authentication.
Now while this may be true - it still have implications for some shopping cart type systems that do seem to use the sessionid - as such - while it seems like sure it may not - Ive always thought that it should still be happening since it IS considered web best practice to clear sessionid when logging out.
It is however a very simple thing to change if it really bothers you - Basically it involves adding two lines of code to the /DesktopModules/Admin/Authentication/logoff.aspx.cs file - The suggested code is something like the following
private void DoLogoff()
//Remove user from cache
if (User != null)
DataCache.ClearUserCache(PortalSettings.PortalId, Context.User.Identity.Name); }
Session.Clear(); /// add these two lines
Session.Abandon(); /// add these two lines
var objPortalSecurity = new PortalSecurity();
catch (Exception exc) //Page failed to load