Doesn't seem to be the same on 6.3 with webserver passthrough as the authentication mode. Stuff like this is probably why they encourage closing the browser after logout (that's the default screen on logout since 6.0). At least the session keys don't appear to be unsalted md5 hashes of an incremental session number anymore.