some extra caution for session management

auth/auth_systems/password.py

@@ -57,7 +57,7 @@ def password_login_view(request):
           if request.POST.has_key('return_url'):
             request.session['auth_return_url'] = request.POST.get('return_url')
 
-          request.session['user'] = user
+          request.session['password_user'] = user
           return HttpResponseRedirect(reverse(after))
       except User.DoesNotExist:
         pass
@@ -101,7 +101,7 @@ def get_auth_url(request, redirect_url = None):
   return reverse(password_login_view)
     
 def get_user_info_after_auth(request):
-  user = request.session['user']
+  user = request.session['password_user']
   user_info = user.info
   
   return {'type': 'password', 'user_id' : user.user_id, 'name': user.name, 'info': user.info, 'token': None}

auth/views.py

@@ -81,6 +81,12 @@ def do_local_logout(request):
   # but we definitely kill the session and renew
   # the cookie
   field_names_to_save = request.session.get(FIELDS_TO_SAVE, [])
+
+  # let's clean up the self-referential issue:
+  field_names_to_save = set(field_names_to_save)
+  field_names_to_save.remove(FIELDS_TO_SAVE)
+  field_names_to_save = list(field_names_to_save)
+
   fields_to_save = dict([(name, request.session.get(name, None)) for name in field_names_to_save])
 
   # let's not forget to save the list of fields to save
@@ -127,7 +133,8 @@ def start(request, system_name):
   if not (system_name in auth.ENABLED_AUTH_SYSTEMS):
     return HttpResponseRedirect(reverse(index))
   
-  request.session.save()
+  # why is this here? Let's try without it
+  # request.session.save()
   
   # store in the session the name of the system used for auth
   request.session['auth_system_name'] = system_name