Kemungkinan denial-of-service dalam tampilan logout() dengan mengisi sesi toko¶

Previously, a session could be created when anonymously accessing the django.contrib.auth.views.logout() view (provided it wasn't decorated with login_required() as done in the admin). This could allow an attacker to easily create many new session records by sending repeated requests, potentially filling up the session store or causing other users' session records to be evicted.

SessionMiddleware telah dirubah menjadi tidak lagi membuat rekaman sesi kosong, termasuk ketika SESSION_SAVE_EVERY_REQUEST aktif.

Selain itu, metode contrib.sessions.backends.base.SessionBase.flush() dan cache_db.SessionStore.flush() telah dirubah untuk menghindari membuat sesi kosong baru. Perawat dari backend sesi pihak-ketiga harus memeriksa jika kerentanan sama hadir di backend mereka dan memperbaiki itu kalai demikian.