Ticket #21608: 21608.diff

django/contrib/sessions/backends/base.py

@@ -301 +301 @@
         key = self.session_key
         self.create()
         self._session_cache = data
-        self.delete(key)
+        if key:
+            self.delete(key)
 
     # Methods that child classes must implement.
 

django/contrib/sessions/backends/db.py

@@ -83 +83 @@
         using = router.db_for_write(self.model, instance=obj)
         try:
             with transaction.atomic(using=using):
-                obj.save(force_insert=must_create, using=using)
+                obj.save(force_insert=must_create, force_update=not must_create, using=using)
         except IntegrityError:
             if must_create:
                 raise CreateError

tests/defer_regress/tests.py

@@ -131 +131 @@
         s = SessionStore(SESSION_KEY)
         s.clear()
         s["item"] = item
-        s.save()
+        s.save(must_create=True)
 
         s = SessionStore(SESSION_KEY)
         s.modified = True

tests/sessions_tests/tests.py

@@ -424 +424 @@
         # ... and one is deleted.
         self.assertEqual(1, self.model.objects.count())
 
+    def test_ticket_21608(self):
+        # Test for #21608 - Logged out sessions are resurrected by concurrent requests.
+
+        # Create new session.
+        SESSION_KEY = 'tkniiqcv0js5reo8y0ofrywrhmwnt9xw'
+        s1 = DatabaseSession(SESSION_KEY)
+        s1.save(must_create=True)
+
+        # Logout in an other context.
+        s2 = DatabaseSession(SESSION_KEY)
+        s2.delete()
+
+        # Modify session in first context.
+        s1.modified = True
+        try:
+            s1.save()  # This should throw an exception as the session is deleted, not resurrect it.
+        except:
+            pass
+
+        with self.assertRaises(Session.DoesNotExist):
+            Session.objects.get(pk=SESSION_KEY)
+
 
 @override_settings(USE_TZ=True)
 class DatabaseSessionWithTimeZoneTests(DatabaseSessionTests):