[1.8.x] Fixed #19324 -- Avoided creating a session record when loading the session.

            session_data = None

        if session_data is not None:

            return session_data

        self.create()

        self._session_key = None

        return {}

    def create(self):

            "It is likely that the cache is unavailable.")

    def save(self, must_create=False):

        if self.session_key is None:

            return self.create()

        if must_create:

            func = self._cache.add

        else:

            raise CreateError

    def exists(self, session_key):

        return (KEY_PREFIX + session_key) in self._cache

        return session_key and (KEY_PREFIX + session_key) in self._cache

    def delete(self, session_key=None):

        if session_key is None:

                    logger = logging.getLogger('django.security.%s' %

                            e.__class__.__name__)

                    logger.warning(force_text(e))

                self.create()

                self._session_key = None

                data = {}

        return data

    def exists(self, session_key):

        if (KEY_PREFIX + session_key) in self._cache:

        if session_key and (KEY_PREFIX + session_key) in self._cache:

            return True

        return super(SessionStore, self).exists(session_key)

                logger = logging.getLogger('django.security.%s' %

                        e.__class__.__name__)

                logger.warning(force_text(e))

            self.create()

            self._session_key = None

            return {}

    def exists(self, session_key):

                # Key wasn't unique. Try again.

                continue

            self.modified = True

            self._session_cache = {}

            return

    def save(self, must_create=False):

        create a *new* entry (as opposed to possibly updating an existing

        entry).

        """

        if self.session_key is None:

            return self.create()

        obj = Session(

            session_key=self._get_or_create_session_key(),

            session_data=self.encode(self._get_session(no_load=must_create)),

                    self.delete()

                    self.create()

        except (IOError, SuspiciousOperation):

            self.create()

            self._session_key = None

        return session_data

    def create(self):

            except CreateError:

                continue

            self.modified = True

            self._session_cache = {}

            return

    def save(self, must_create=False):

        if self.session_key is None:

            return self.create()

        # Get the session data now, before we start messing

        # with the file it is stored within.

        session_data = self._get_session(no_load=must_create)

*July 8, 2015*

Django 1.4.21 fixes several security issues in 1.4.20.

Denial-of-service possibility by filling session store

======================================================

In previous versions of Django, the session backends created a new empty record

in the session storage anytime ``request.session`` was accessed and there was a

session key provided in the request cookies that didn't already have a session

record. This could allow an attacker to easily create many new session records

simply by sending repeated requests with unknown session keys, potentially

filling up the session store or causing other users' session records to be

evicted.

The built-in session backends now create a session record only if the session

is actually modified; empty session records are not created. Thus this

potential DoS is now only possible if the site chooses to expose a

session-modifying view to anonymous users.

As each built-in session backend was fixed separately (rather than a fix in the

core sessions framework), maintainers of third-party session backends should

check whether the same vulnerability is present in their backend and correct

it if so.