Sending the cookie path encoded seems to let the browser discard the path value as invalid and use the current path instead. This causes two session cookies, one with current path, one with
/. When logging out only of the cookies gets a new session id, the other one remains. That makes it impossible to login again until the cookies are cleared (or expire).