Comment 30 for bug 1394370

Note that accessing request.user does *not* create a session ever with Django. It will access the session yes, but it won't modify it and you require a modification to save a session (and thus create one if one doesn't already exist) unless you have SESSION_SAVE_EVERY_REQUEST set to True.

This is the clear code in Django -> https://github.com/django/django/blob/master/django/contrib/sessions/backends/base.py#L137-L143

It makes sense for the clear code to mark the session as modified because what's it's doing is emptying the session of all data, but it keeps the same session id.

Here's the login code in Django by the way as well -> https://github.com/django/django/blob/master/django/contrib/auth/__init__.py#L77-L105

It's acutally careful not to clear the session data when going from anonymous -> logged in, but to ensure that it does clear the session data when going from logged in (or thinks it's logged in) -> logged in with a different user.