Changing session store to a database or memory store won't
fix it: a session id is still required on the client side,
then your session is still hijacked because the attacker
still gets the session id.
The bug specifically addresses logging out.
When you store a record of the session on the server side (with the session ID you mention), you clear that session record during logout; the session is now gone, and cookie isn't valid anymore.
(With the cookie-only approach, the server will continue to accept a cookie that you wanted to have cleared.)
When I click log out, I know I'm logging out on this browser but not other browsers. I usually want to keep my session on other devices... But you can still achieve "log me out on every devices" with CookieStore, it doesn't limit you from storing and checking things on the server-side.
When you store a record of the session on the server side (with the session ID you mention), you clear that session record during logout; the session is now gone, and cookie isn't valid anymore.
(With the cookie-only approach, the server will continue to accept a cookie that you wanted to have cleared.)