I've further isolated the issue. It's not related to the DM Karaf distro at all.
The issue is related to the browser's own login dialog. Its appearance in turn is related to the dm4.security.read_requires_login DM config property.
(The DM Karaf distro sets it true by default. In contrast, the DM standard distro sets it false by default.)
This is a known HTTP problem. HTTP provides no logout semantics. The browser caches the information entered in the browser's own login dialog and re-sends it with every request. There is no way to clear that cache besides quitting the browser.
A while ago I read about a possible workaround: as far as I remember it involves an AJAX request to be sent after the logout request, and enforcing a 401 (by sending dummy credentials in the Authorization header). The workaround is based on the fact that (in contrast to a "normal" request) an AJAX request with a 401 response does *not* bring up the browser's own login dialog but resets the cached credentials. (I'm not fully sure about this, but there is such a workaround. It is also utilized by the Trac software.)
I will try to utilize that workaround for DM as well.
Hint: when dm4.security.read_requires_login is set to false the problem does *not* occur. Logout works fine in this case. The browser's own login dialog is not involved then.
