diff -r 6641e941ef1e -r ff1a9aa48cfd app/django/contrib/auth/__init__.py
--- a/app/django/contrib/auth/__init__.py	Tue Oct 14 12:36:55 2008 +0000
+++ b/app/django/contrib/auth/__init__.py	Tue Oct 14 16:00:59 2008 +0000
@@ -53,6 +53,15 @@
     # TODO: It would be nice to support different login methods, like signed cookies.
     user.last_login = datetime.datetime.now()
     user.save()
+
+    if SESSION_KEY in request.session:
+        if request.session[SESSION_KEY] != user.id:
+            # To avoid reusing another user's session, create a new, empty
+            # session if the existing session corresponds to a different
+            # authenticated user.
+            request.session.flush()
+    else:
+        request.session.cycle_key()
     request.session[SESSION_KEY] = user.id
     request.session[BACKEND_SESSION_KEY] = user.backend
     if hasattr(request, 'user'):
@@ -60,16 +69,10 @@
 
 def logout(request):
     """
-    Remove the authenticated user's ID from the request.
+    Removes the authenticated user's ID from the request and flushes their
+    session data.
     """
-    try:
-        del request.session[SESSION_KEY]
-    except KeyError:
-        pass
-    try:
-        del request.session[BACKEND_SESSION_KEY]
-    except KeyError:
-        pass
+    request.session.flush()
     if hasattr(request, 'user'):
         from django.contrib.auth.models import AnonymousUser
         request.user = AnonymousUser()