Fixed incorrect session.flush() in cached_db session backend. (08857963) · Commits · Dom Sekotill / django

django/contrib/sessions/backends/cached_db.py

+1 −1

Original line number	Diff line number	Diff line
		@@ -79,7 +79,7 @@ class SessionStore(DBStore):
		"""
		self.clear()
		self.delete(self.session_key)
		self._session_key = ''
		self._session_key = None


		# At bottom to avoid circular import

+17 −1

Original line number	Diff line number	Diff line
		@@ -4,7 +4,23 @@ Django 1.8.2 release notes

		Under development

		Django 1.8.2 fixes several bugs in 1.8.1.
		Django 1.8.2 fixes a security issue and several bugs in 1.8.1.

		Fixed session flushing in the ``cached_db`` backend
		===================================================

		A change to ``session.flush()`` in the ``cached_db`` session backend in Django
		1.8 mistakenly sets the session key to an empty string rather than ``None``. An
		empty string is treated as a valid session key and the session cookie is set
		accordingly. Any users with an empty string in their session cookie will use
		the same session store. ``session.flush()`` is called by
		``django.contrib.auth.logout()`` and, more seriously, by
		``django.contrib.auth.login()`` when a user switches accounts. If a user is
		logged in and logs in again to a different account (without logging out) the
		session is flushed to avoid reuse. After the session is flushed (and its
		session key becomes ``''``) the account details are set on the session and the
		session is saved. Any users with an empty string in their session cookie will
		now be logged into that account.

		Bugfixes
		========

+1 −0

Original line number	Diff line number	Diff line
		@@ -165,6 +165,7 @@ class SessionTestsMixin(object):
		self.session.flush()
		self.assertFalse(self.session.exists(prev_key))
		self.assertNotEqual(self.session.session_key, prev_key)
		self.assertIsNone(self.session.session_key)
		self.assertTrue(self.session.modified)
		self.assertTrue(self.session.accessed)