Authentication backends documentation doesn't mention that backends are stored in Sessions.
|Reported by:||Owned by:||Jacob|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
The Authentication Backends docs don't mention that when a User is successfully authenticated, the path to the backend that authenticated them is stored in a Session variable.
Problems can occur when you change settings.py from one custom backend to another backend. Django attempts to import the backend specified by the path in the session, so when a request comes from a User who has already authenticated through the previous backend an exception is raised.
A simple fix for this is
Session.objects.all().delete(). However it should be noted that even after updating the
AUTHENTICATION_BACKENDS setting, your application may still contain references to the old setting.