The documentation explicitly mentions that expired sessions aren't automatically deleted from the database, except when the user manually logs out. [1]
That, however, isn't the case. Firstly, when trying to access a user whose password was changed, the session is deleted from the database. [2] This, to me, seems the correct behaviour, and I think there should be a bug filed against the docs.
There's also a second case where this happens. [3] This one is a bit harder to follow. The way I read it, if you're already logged in and log in again, OR if the password is different (this is the part I have trouble understanding, I guess this can only happen when you call login for the same user, but don't verify the password). The latter part was added in
https://github.com/django/django/commit/fd23c06023a0585ee743c0752dc94da66694cf63 .
The first part, logging in as another user should act like a logout/login, but, the docs need a mention of it. The second, I don't really understand, so not sure whether what the change to the docs should say.
--
George-Cristian Bîrzan