Fixed #20936 -- When logging out/ending a session, don't create a new, empty session.

        self.accessed = True

        self.modified = True

    def is_empty(self):

        "Returns True when there is no session_key and the session is empty"

        try:

            return not bool(self._session_key) and not self._session_cache

        except AttributeError:

            return True

    def _get_new_session_key(self):

        "Returns session key that isn't being used."

        while True:

        """

        self.clear()

        self.delete()

        self.create()

        self._session_key = None

    def cycle_key(self):

        """

        """

        self.clear()

        self.delete(self.session_key)

        self.create()

        self._session_key = ''

# At bottom to avoid circular import

    def process_response(self, request, response):

        """

        If request.session was modified, or if the configuration is to save the

        session every time, save the changes and set a session cookie.

        session every time, save the changes and set a session cookie or delete

        the session cookie if the session has been emptied.

        """

        try:

            accessed = request.session.accessed

            modified = request.session.modified

            empty = request.session.is_empty()

        except AttributeError:

            pass

        else:

            # First check if we need to delete this cookie.

            # The session should be deleted only if the session is entirely empty

            if settings.SESSION_COOKIE_NAME in request.COOKIES and empty:

                response.delete_cookie(settings.SESSION_COOKIE_NAME)

            else:

                if accessed:

                    patch_vary_headers(response, ('Cookie',))

        # Check that the value wasn't saved above.

        self.assertNotIn('hello', request.session.load())

    def test_session_delete_on_end(self):

        request = RequestFactory().get('/')

        response = HttpResponse('Session test')

        middleware = SessionMiddleware()

        # Before deleting, there has to be an existing cookie

        request.COOKIES[settings.SESSION_COOKIE_NAME] = 'abc'

        # Simulate a request that ends the session

        middleware.process_request(request)

        request.session.flush()

        # Handle the response through the middleware

        response = middleware.process_response(request, response)

        # Check that the cookie was deleted, not recreated.

        # A deleted cookie header looks like:

        #  Set-Cookie: sessionid=; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/

        self.assertEqual('Set-Cookie: {0}=; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/'.format(settings.SESSION_COOKIE_NAME),

            str(response.cookies[settings.SESSION_COOKIE_NAME]))

class CookieSessionTests(SessionTestsMixin, TestCase):

:mod:`django.contrib.sessions`

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* ...

* Session cookie is now deleted after

  :meth:`~django.contrib.sessions.backends.base.SessionBase.flush()` is called.

:mod:`django.contrib.sitemaps`

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^