Lin Hua Cheng discovered that a session could be created when anonymously accessing the django.contrib.auth.views.logout view. This could allow remote attackers to saturate the session store or cause other users" session records to be evicted. Additionally the contrib.sessions.backends.base.SessionBase.flush and cache_db.SessionStore.flush methods have been modified to avoid creating a new empty session as well.