From 088579638b160f3716dc81d194be70c72743593f Mon Sep 17 00:00:00 2001
From: Tim Graham <timograham@gmail.com>
Date: Mon, 11 May 2015 09:58:43 -0400
Subject: [PATCH] Fixed incorrect session.flush() in cached_db session backend.

This is a security fix; disclosure to follow shortly.

Thanks Sam Cooke for the report and draft patch.
---
 django/contrib/sessions/backends/cached_db.py |  2 +-
 docs/releases/1.8.2.txt                       | 18 +++++++++++++++++-
 tests/sessions_tests/tests.py                 |  1 +
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/django/contrib/sessions/backends/cached_db.py b/django/contrib/sessions/backends/cached_db.py
index 848913b51e..9257e2ba56 100644
--- a/django/contrib/sessions/backends/cached_db.py
+++ b/django/contrib/sessions/backends/cached_db.py
@@ -79,7 +79,7 @@ class SessionStore(DBStore):
         """
         self.clear()
         self.delete(self.session_key)
-        self._session_key = ''
+        self._session_key = None
 
 
 # At bottom to avoid circular import
diff --git a/docs/releases/1.8.2.txt b/docs/releases/1.8.2.txt
index 635bc96e92..2351664203 100644
--- a/docs/releases/1.8.2.txt
+++ b/docs/releases/1.8.2.txt
@@ -4,7 +4,23 @@ Django 1.8.2 release notes
 
 *Under development*
 
-Django 1.8.2 fixes several bugs in 1.8.1.
+Django 1.8.2 fixes a security issue and several bugs in 1.8.1.
+
+Fixed session flushing in the ``cached_db`` backend
+===================================================
+
+A change to ``session.flush()`` in the ``cached_db`` session backend in Django
+1.8 mistakenly sets the session key to an empty string rather than ``None``. An
+empty string is treated as a valid session key and the session cookie is set
+accordingly. Any users with an empty string in their session cookie will use
+the same session store. ``session.flush()`` is called by
+``django.contrib.auth.logout()`` and, more seriously, by
+``django.contrib.auth.login()`` when a user switches accounts. If a user is
+logged in and logs in again to a different account (without logging out) the
+session is flushed to avoid reuse. After the session is flushed (and its
+session key becomes ``''``) the account details are set on the session and the
+session is saved. Any users with an empty string in their session cookie will
+now be logged into that account.
 
 Bugfixes
 ========
diff --git a/tests/sessions_tests/tests.py b/tests/sessions_tests/tests.py
index 1420199698..091aea2f72 100644
--- a/tests/sessions_tests/tests.py
+++ b/tests/sessions_tests/tests.py
@@ -165,6 +165,7 @@ class SessionTestsMixin(object):
         self.session.flush()
         self.assertFalse(self.session.exists(prev_key))
         self.assertNotEqual(self.session.session_key, prev_key)
+        self.assertIsNone(self.session.session_key)
         self.assertTrue(self.session.modified)
         self.assertTrue(self.session.accessed)