Ticket #6941: 6941_notests.diff

django/contrib/auth/__init__.py

@@ -43 +43 @@
         user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
         return user
 
+def clear_session(request):
+    """
+    Clear the session out.
+    """
+    from django.conf import settings
+    from django.contrib.sessions.middleware import SessionMiddleware
+
+    # Uses the cookies to remove memory.
+    request.COOKIES[settings.SESSION_COOKIE_NAME] = None
+    SessionMiddleware().process_request(request)
+
 def login(request, user):
     """
     Persist a user id and a backend in the request. This way a user doesn't
@@ -53 +64 @@
     # TODO: It would be nice to support different login methods, like signed cookies.
     user.last_login = datetime.datetime.now()
     user.save()
+    if request.session.get(SESSION_KEY, user.id) != user.id:
+        # A different user is logged in; we need to destroy the session.
+        clear_session(request)
     request.session[SESSION_KEY] = user.id
     request.session[BACKEND_SESSION_KEY] = user.backend
     if hasattr(request, 'user'):
@@ -62 +76 @@
     """
     Remove the authenticated user's ID from the request.
     """
-    try:
-        del request.session[SESSION_KEY]
-    except KeyError:
-        pass
-    try:
-        del request.session[BACKEND_SESSION_KEY]
-    except KeyError:
-        pass
+    # Since the user is logging out, just clear their session:
+    clear_session(request)
     if hasattr(request, 'user'):
         from django.contrib.auth.models import AnonymousUser
         request.user = AnonymousUser()