BE user cookie set regardless of session
The BE user cookie is always set once a user visited the /typo3 login page. Even after logout, a BE user cookie is still present.
Since a BE user cookie is the only way viable way to detect a BE session, it should only be present if there is a current session. This is important for CDNs to bypass cache for active sessions.
That means a) the cookie should only be set after successful login and b) the cookie should be removed during logout.