Fixed #20936 -- When logging out/ending a session, don't create a new, empty session.

Previously, when logging out, the existing session was overwritten by a new sessionid instead of deleting the session altogether. This behavior added overhead by creating a new session record in whichever backend was in use: db, cache, etc. This extra session is unnecessary at the time since no session data is meant to be preserved when explicitly logging out.
2025-10-24 06:06:09 +00:00 · 2013-08-18 22:36:36 -07:00
parent 9762ba2630
commit 393c0e2422
6 changed files with 69 additions and 28 deletions
--- a/docs/topics/http/sessions.txt
+++ b/docs/topics/http/sessions.txt
@@ -231,12 +231,17 @@ You can edit it multiple times.

    .. method:: flush()

-      Delete the current session data from the session and regenerate the
-      session key value that is sent back to the user in the cookie. This is
-      used if you want to ensure that the previous session data can't be
-      accessed again from the user's browser (for example, the
+      Delete the current session data from the session and delete the session
+      cookie. This is used if you want to ensure that the previous session data
+      can't be accessed again from the user's browser (for example, the
      :func:`django.contrib.auth.logout()` function calls it).

+      .. versionchanged:: 1.8
+
+          Deletion of the session cookie is a behavior new in Django 1.8.
+          Previously, the behavior was to regenerate the session key value that
+          was sent back to the user in the cookie.
+
    .. method:: set_test_cookie()

      Sets a test cookie to determine whether the user's browser supports