Note that accessing request.user does *not* create a session ever with Django. It will access the session yes, but it won't modify it and you require a modification to save a session (and thus create one if one doesn't already exist) unless you have SESSION_SAVE_EVERY_REQUEST set to True.
It makes sense for the clear code to mark the session as modified because what's it's doing is emptying the session of all data, but it keeps the same session id.
It's acutally careful not to clear the session data when going from anonymous -> logged in, but to ensure that it does clear the session data when going from logged in (or thinks it's logged in) -> logged in with a different user.
Note that accessing request.user does *not* create a session ever with Django. It will access the session yes, but it won't modify it and you require a modification to save a session (and thus create one if one doesn't already exist) unless you have SESSION_ SAVE_EVERY_ REQUEST set to True.
This is the clear code in Django -> https:/ /github. com/django/ django/ blob/master/ django/ contrib/ sessions/ backends/ base.py# L137-L143
It makes sense for the clear code to mark the session as modified because what's it's doing is emptying the session of all data, but it keeps the same session id.
Here's the login code in Django by the way as well -> https:/ /github. com/django/ django/ blob/master/ django/ contrib/ auth/__ init__. py#L77- L105
It's acutally careful not to clear the session data when going from anonymous -> logged in, but to ensure that it does clear the session data when going from logged in (or thinks it's logged in) -> logged in with a different user.