A change to session.flush() in the cached_db session backend in
Django 1.8 mistakenly sets the session key to an empty string
rather than None. An empty string is treated as a valid session key
and the session cookie is set accordingly. Any users with an empty
string in their session cookie will use the same session store.
session.flush() is called by django.contrib.auth.logout() and, more
seriously, by django.contrib.auth.login() when a user switches accounts.
If a user is logged in and logs in again to a different account
(without logging out) the session is flushed to avoid reuse.
After the session is flushed (and its session key becomes '') the
account details are set on the session and the session is saved.
Any users with an empty string in their session cookie will now be
logged into that account.
Thanks to Sam Cooke for reporting the issue.