=========================== Django 1.7.10 release notes =========================== *August 18, 2015* Django 1.7.10 fixes a security issue in 1.7.9. Denial-of-service possibility in ``logout()`` view by filling session store =========================================================================== Previously, a session could be created when anonymously accessing the ``django.contrib.auth.views.logout()`` view (provided it wasn't decorated with :func:`~django.contrib.auth.decorators.login_required` as done in the admin). This could allow an attacker to easily create many new session records by sending repeated requests, potentially filling up the session store or causing other users' session records to be evicted. The :class:`~django.contrib.sessions.middleware.SessionMiddleware` has been modified to no longer create empty session records, including when :setting:`SESSION_SAVE_EVERY_REQUEST` is active. Additionally, the ``contrib.sessions.backends.base.SessionBase.flush()`` and ``cache_db.SessionStore.flush()`` methods have been modified to avoid creating a new empty session. Maintainers of third-party session backends should check if the same vulnerability is present in their backend and correct it if so.