Ticket #15891: session.patch

django/contrib/auth/__init__.py

@@ -61 +61 @@
     if user is None:
         user = request.user
     # TODO: It would be nice to support different login methods, like signed cookies.
-    if SESSION_KEY in request.session:
-        if request.session[SESSION_KEY] != user.id:
-            # To avoid reusing another user's session, create a new, empty
-            # session if the existing session corresponds to a different
-            # authenticated user.
-            request.session.flush()
-    else:
+    if request.session.get(SESSION_KEY) != user.id:
         request.session.cycle_key()
     request.session[SESSION_KEY] = user.id
     request.session[BACKEND_SESSION_KEY] = user.backend
@@ -87 +81 @@
         user = None
     user_logged_out.send(sender=user.__class__, request=request, user=user)
 
-    request.session.flush()
+    request.session.pop(SESSION_KEY, None)
+    request.session.pop(BACKEND_SESSION_KEY, None)
     if hasattr(request, 'user'):
         from django.contrib.auth.models import AnonymousUser
         request.user = AnonymousUser()