summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/1.8.2.txt18
1 files changed, 17 insertions, 1 deletions
diff --git a/docs/releases/1.8.2.txt b/docs/releases/1.8.2.txt
index 635bc96e92..2351664203 100644
--- a/docs/releases/1.8.2.txt
+++ b/docs/releases/1.8.2.txt
@@ -4,7 +4,23 @@ Django 1.8.2 release notes
*Under development*
-Django 1.8.2 fixes several bugs in 1.8.1.
+Django 1.8.2 fixes a security issue and several bugs in 1.8.1.
+
+Fixed session flushing in the ``cached_db`` backend
+===================================================
+
+A change to ``session.flush()`` in the ``cached_db`` session backend in Django
+1.8 mistakenly sets the session key to an empty string rather than ``None``. An
+empty string is treated as a valid session key and the session cookie is set
+accordingly. Any users with an empty string in their session cookie will use
+the same session store. ``session.flush()`` is called by
+``django.contrib.auth.logout()`` and, more seriously, by
+``django.contrib.auth.login()`` when a user switches accounts. If a user is
+logged in and logs in again to a different account (without logging out) the
+session is flushed to avoid reuse. After the session is flushed (and its
+session key becomes ``''``) the account details are set on the session and the
+session is saved. Any users with an empty string in their session cookie will
+now be logged into that account.
Bugfixes
========