It's a "feature" because it relies on a local cache. So it means that the attacker must be using your own unlocked computer (which contains the cache) to bypass 2FA through this "race"; and in that case it might as well install a key-logger instead or worse. The worse it can be said is that it is very confusing and breaks the usual pattern of what "logging off" means, but users should be taught to lock their computer, not log off stuff hoping not to leave nothing behind.