Django 1.4.22 release notes

Django 1.4.22 fixes a security issue in 1.4.21.

Previously, a session could be created when anonymously accessing the view (provided it wasn’t decorated with as done in the admin). This could allow an attacker to easily create many new session records by sending repeated requests, potentially filling up the session store or causing other users’ session records to be evicted.

Additionally, the and cache_db.SessionStore.flush() methods have been modified to avoid creating a new empty session. Maintainers of third-party session backends should check if the same vulnerability is present in their backend and correct it if so.