Index: django-trunk/django/contrib/sessions/models.py
===================================================================
--- django-trunk/django/contrib/sessions/models.py	(revision 6783)
+++ django-trunk/django/contrib/sessions/models.py	(working copy)
@@ -1,78 +1,13 @@
-import os
-import sys
-import time
-import datetime
-import base64
-import md5
-import random
-import cPickle as pickle
-
 from django.db import models
 from django.utils.translation import ugettext_lazy as _
-from django.conf import settings
 
-class SessionManager(models.Manager):
-    def encode(self, session_dict):
-        "Returns the given session dictionary pickled and encoded as a string."
-        pickled = pickle.dumps(session_dict)
-        pickled_md5 = md5.new(pickled + settings.SECRET_KEY).hexdigest()
-        return base64.encodestring(pickled + pickled_md5)
-
-    def get_new_session_key(self):
-        "Returns session key that isn't being used."
-        # The random module is seeded when this Apache child is created.
-        # Use SECRET_KEY as added salt.
-        try:
-            pid = os.getpid()
-        except AttributeError:
-            # No getpid() in Jython, for example
-            pid = 1
-        while 1:
-            session_key = md5.new("%s%s%s%s" % (random.randint(0, sys.maxint - 1), pid, time.time(), settings.SECRET_KEY)).hexdigest()
-            try:
-                self.get(session_key=session_key)
-            except self.model.DoesNotExist:
-                break
-        return session_key
-
-    def get_new_session_object(self):
-        """
-        Returns a new session object.
-        """
-        # FIXME: There is a *small* chance of collision here, meaning we will
-        # return an existing object. That can be fixed when we add a way to
-        # validate (and guarantee) that non-auto primary keys are unique. For
-        # now, we save immediately in order to reduce the "window of
-        # misfortune" as much as possible.
-        created = False
-        while not created:
-            obj, created = self.get_or_create(session_key=self.get_new_session_key(),
-                    expire_date = datetime.datetime.now())
-            # Collision in key generation, so re-seed the generator
-            random.seed()
-        return obj
-
-    def save(self, session_key, session_dict, expire_date):
-        s = self.model(session_key, self.encode(session_dict), expire_date)
-        if session_dict:
-            s.save()
-        else:
-            s.delete() # Clear sessions with no data.
-        return s
-
 class Session(models.Model):
     """
-    Django provides full support for anonymous sessions. The session
-    framework lets you store and retrieve arbitrary data on a
-    per-site-visitor basis. It stores data on the server side and
-    abstracts the sending and receiving of cookies. Cookies contain a
-    session ID -- not the data itself.
-
-    The Django sessions framework is entirely cookie-based. It does
-    not fall back to putting session IDs in URLs. This is an intentional
-    design decision. Not only does that behavior make URLs ugly, it makes
-    your site vulnerable to session-ID theft via the "Referer" header.
-
+    Saves sessions in database.
+    
+    Not for direct usage, please use SessionStore class
+    in django.contrib.sessions.backends.db module to access sessions.
+    
     For complete documentation on using Sessions in your code, consult
     the sessions documentation that is shipped with Django (also available
     on the Django website).
@@ -80,22 +15,8 @@
     session_key = models.CharField(_('session key'), max_length=40, primary_key=True)
     session_data = models.TextField(_('session data'))
     expire_date = models.DateTimeField(_('expire date'))
-    objects = SessionManager()
 
     class Meta:
         db_table = 'django_session'
         verbose_name = _('session')
         verbose_name_plural = _('sessions')
-
-    def get_decoded(self):
-        encoded_data = base64.decodestring(self.session_data)
-        pickled, tamper_check = encoded_data[:-32], encoded_data[-32:]
-        if md5.new(pickled + settings.SECRET_KEY).hexdigest() != tamper_check:
-            from django.core.exceptions import SuspiciousOperation
-            raise SuspiciousOperation, "User tampered with session cookie."
-        try:
-            return pickle.loads(pickled)
-        # Unpickling can cause a variety of exceptions. If something happens,
-        # just return an empty dictionary (an empty session).
-        except:
-            return {}
Index: django-trunk/docs/sessions.txt
===================================================================
--- django-trunk/docs/sessions.txt	(revision 6783)
+++ django-trunk/docs/sessions.txt	(working copy)
@@ -202,7 +202,7 @@
     >>> s = SessionStore(session_key='2b1189a188b44ad18c35e113ac6ceead')
     >>> s['last_login'] = datetime.datetime(2005, 8, 20, 13, 35, 10)
     >>> s['last_login']
-    datetime.datetime(2005, 8, 20, 13, 35, 0)
+    datetime.datetime(2005, 8, 20, 13, 35, 10)
     >>> s.save()
 
 If you're using the ``django.contrib.sessions.backends.db`` backend, each
@@ -215,13 +215,12 @@
     >>> s.expire_date
     datetime.datetime(2005, 8, 20, 13, 35, 12)
 
-Note that you'll need to call ``get_decoded()`` to get the session dictionary.
+Note that you'll need to use ``SessionStore`` class
+in the ``django.contrib.sessions.backends.db`` to get the session dictionary.
 This is necessary because the dictionary is stored in an encoded format::
 
     >>> s.session_data
     'KGRwMQpTJ19hdXRoX3VzZXJfaWQnCnAyCkkxCnMuMTExY2ZjODI2Yj...'
-    >>> s.get_decoded()
-    {'user_id': 42}
 
 When sessions are saved
 =======================