Index: django/contrib/auth/__init__.py
===================================================================
--- django/contrib/auth/__init__.py	(revision 7724)
+++ django/contrib/auth/__init__.py	(working copy)
@@ -53,14 +53,18 @@
     # TODO: It would be nice to support different login methods, like signed cookies.
     user.last_login = datetime.datetime.now()
     user.save()
+    if request.session.get(SESSION_KEY, user.id) != user.id:
+        # a different user was logged in, his data has to be cleared
+        request.session.clear()
     request.session[SESSION_KEY] = user.id
     request.session[BACKEND_SESSION_KEY] = user.backend
     if hasattr(request, 'user'):
         request.user = user
 
-def logout(request):
+def logout(request, clear_session=True):
     """
-    Remove the authenticated user's ID from the request.
+    Remove the authenticated user's ID from the request and optionally clear
+    the session.
     """
     try:
         del request.session[SESSION_KEY]
@@ -70,6 +74,8 @@
         del request.session[BACKEND_SESSION_KEY]
     except KeyError:
         pass
+    if clear_session:
+        request.session.clear()
     if hasattr(request, 'user'):
         from django.contrib.auth.models import AnonymousUser
         request.user = AnonymousUser()