The documentation explicitly mentions that expired sessions aren't automatically deleted from the database, except when the user manually logs out. [1]
That, however, isn't the case. Firstly, when trying to access a user whose password was changed, the session is deleted from the database. [2] This, to me, seems the correct behaviour, and I think there should be a bug filed against the docs. There's also a second case where this happens. [3] This one is a bit harder to follow. The way I read it, if you're already logged in and log in again, OR if the password is different (this is the part I have trouble understanding, I guess this can only happen when you call login for the same user, but don't verify the password). The latter part was added in https://github.com/django/django/commit/fd23c06023a0585ee743c0752dc94da66694cf63 . The first part, logging in as another user should act like a logout/login, but, the docs need a mention of it. The second, I don't really understand, so not sure whether what the change to the docs should say. [1] - https://docs.djangoproject.com/en/2.0/topics/http/sessions/#clearing-the-session-store [2] - https://github.com/django/django/blob/master/django/contrib/auth/__init__.py#L194 [3] - https://github.com/django/django/blob/master/django/contrib/auth/__init__.py#L99 -- George-Cristian Bîrzan -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMxNYabP8ayBao6FNeGMGZGAvLN%2BSQt1Cd-gcco6V6xM1k_RNQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
