summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/authentication.txt7
-rw-r--r--docs/sessions.txt9
2 files changed, 14 insertions, 2 deletions
diff --git a/docs/authentication.txt b/docs/authentication.txt
index acd378fcab..4345fc0c11 100644
--- a/docs/authentication.txt
+++ b/docs/authentication.txt
@@ -426,6 +426,13 @@ use ``django.contrib.auth.logout()`` within your view. It takes an
Note that ``logout()`` doesn't throw any errors if the user wasn't logged in.
+**New in Django development version:** When you call ``logout()``, the session
+data for the current request is completely cleaned out. All existing data is
+removed. This is to prevent another person from using the same web browser to
+log in and have access to the previous user's session data. If you want to put
+anything into the session that will be available to the user immediately after
+logging out, do that *after* calling ``django.contrib.auth.logout()``.
+
Limiting access to logged-in users
----------------------------------
diff --git a/docs/sessions.txt b/docs/sessions.txt
index 7971601c7a..f828c76bde 100644
--- a/docs/sessions.txt
+++ b/docs/sessions.txt
@@ -117,8 +117,8 @@ It also has these methods:
Delete the current session data from the database and regenerate the
session key value that is sent back to the user in the cookie. This is
used if you want to ensure that the previous session data can't be
- accessed again from the user's browser (for example, the standard
- ``logout()`` method calls it).
+ accessed again from the user's browser (for example, the
+ ``django.contrib.auth.logout()`` method calls it).
* ``set_test_cookie()``
@@ -230,6 +230,11 @@ This simplistic view logs in a "member" of the site::
pass
return HttpResponse("You're logged out.")
+The standard ``django.contrib.auth.logout()`` function actually does a bit
+more than this to prevent inadvertent data leakage. It calls
+``request.session.flush()``. We are using this example as a demonstration of
+how to work with session objects, not as a full ``logout()`` implementation.
+
Setting test cookies
====================