Denial-of-service possibility in logout() view by filling session store¶

Previously, a session could be created when anonymously accessing the django.contrib.auth.views.logout() view (provided it wasn’t decorated with login_required() as done in the admin). This could allow an attacker to easily create many new session records by sending repeated requests, potentially filling up the session store or causing other users’ session records to be evicted.

The SessionMiddleware has been modified to no longer create empty session records, including when SESSION_SAVE_EVERY_REQUEST is active.

Bugfixes¶

• Added the ability to serialize values from the newly added UUIDField (#25019).
• Added a system check warning if the old TEMPLATE_* settings are defined in addition to the new TEMPLATES setting.
• Fixed QuerySet.raw() so InvalidQuery is not raised when using the db_column name of a ForeignKey field with primary_key=True (#12768).
• Prevented an exception in TestCase.setUpTestData() from leaking the transaction (#25176).
• Fixed has_changed() method in contrib.postgres.forms.HStoreField (#25215, #25233).
• Fixed the recording of squashed migrations when running the migrate command (#25231).
• Moved the unsaved model instance assignment data loss check to Model.save() to allow easier usage of in-memory models (#25160).
• Prevented varchar_patterns_ops and text_patterns_ops indexes for ArrayField (#25180).