id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
23066	Already logged-in user remains logged in when RemoteUser authentication of new user fails	david.greisen@…	nobody	"Currently, when remoteUserBackend fails to authenticate the
username passed in the header, and create_unknown_user==False,
RemoteUserMiddleware does nothing. Thus, if a different user
was logged in, that user will remain logged in despite the failed
attempt to log in a new user.

This is a security issue.

https://github.com/django/django/pull/2936 fixes this problem 
by logging out the request if the user returned
by the middleware is None (a failed login attempt)."	Bug	closed	contrib.auth	dev	Normal	fixed	remoteUserBackend RemoteUserMiddleware		Accepted	1	0	1	0	0	0