@@ -79,7 +79,7 @@ def flush(self):

"""

self.clear()

self.delete(self.session_key)

self._session_key = ''

self._session_key = None

# At bottom to avoid circular import

from django.contrib.sessions.models import Session # isort:skip

@@ -4,7 +4,23 @@ Django 1.8.2 release notes

*Under development*

Django 1.8.2 fixes several bugs in 1.8.1.

Django 1.8.2 fixes a security issue and several bugs in 1.8.1.

Fixed session flushing in the ``cached_db`` backend

===================================================

A change to ``session.flush()`` in the ``cached_db`` session backend in Django

1.8 mistakenly sets the session key to an empty string rather than ``None``. An

empty string is treated as a valid session key and the session cookie is set

accordingly. Any users with an empty string in their session cookie will use

the same session store. ``session.flush()`` is called by

``django.contrib.auth.logout()`` and, more seriously, by

``django.contrib.auth.login()`` when a user switches accounts. If a user is

logged in and logs in again to a different account (without logging out) the

session is flushed to avoid reuse. After the session is flushed (and its

session key becomes ``''``) the account details are set on the session and the

session is saved. Any users with an empty string in their session cookie will

now be logged into that account.

Bugfixes

========

@@ -162,6 +162,7 @@ def test_flush(self):

self.session.flush()

self.assertFalse(self.session.exists(prev_key))

self.assertNotEqual(self.session.session_key, prev_key)

self.assertIsNone(self.session.session_key)

self.assertTrue(self.session.modified)

self.assertTrue(self.session.accessed)