69.4. Logout still linked to account

When a user creates a new account, the session retains the same session_id as the unauthenticated user. This can lead to changes being linked to both the unauthenticated state and the new account, even if the user logs out. This issue arises because the session is not reset upon account creation or logout, allowing data to persist across states.

An elegant solution to address this issue is to generate a new session_id whenever the user logs out. This ensures that the unauthenticated session is treated as entirely separate, effectively unlinking it from any previously authenticated account. By doing so, the data associated with the unauthenticated session will no longer persist across states. However, during the creation of a new account, relevant data from the session will still be passed to the new account, preserving a seamless user experience.

To implement this solution, we updated the perform_logout view function.

views.py

@login_required
def perform_logout(request):
    # Log out the user
    logout(request)

    # Clear all session data
    request.session.flush()

    # Clear the current session cookie
    response = redirect('perform_login')
    response.delete_cookie('id_session')

    return response

Now, whenever the user logs out, the new unauthenticated session will have a fresh session_id, unlinking both accounts.