From dd4f73f2543e350c0b4141efe31842be00161fa9 Mon Sep 17 00:00:00 2001
From: Michael Merickel <michael@merickel.org>
Date: Tue, 29 Apr 2014 20:32:08 -0500
Subject: require ISession.invalidate to leave behind a usable session

---
 CHANGES.txt           | 3 +++
 pyramid/interfaces.py | 8 +++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/CHANGES.txt b/CHANGES.txt
index c14939d81..02be109db 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -14,6 +14,9 @@ Next release
 - ``pyramid.wsgi.wsgiapp`` and ``pyramid.wsgi.wsgiapp2`` now raise
   ``ValueError`` when accidentally passed ``None``.
 
+- Clarify a previously-implied detail of the ``ISession.invalidate`` API
+  documentation.
+
 1.5 (2014-04-08)
 ================
 
diff --git a/pyramid/interfaces.py b/pyramid/interfaces.py
index 75b9b1cb9..aa2dbdafd 100644
--- a/pyramid/interfaces.py
+++ b/pyramid/interfaces.py
@@ -910,7 +910,13 @@ class ISession(IDict):
         ``invalidate`` is implementation-dependent, but it should have
         the effect of completely dissociating any data stored in the
         session with the current request.  It might set response
-        values (such as one which clears a cookie), or it might not."""
+        values (such as one which clears a cookie), or it might not.
+
+        An invalidated session may be used after the call to ``invalidate``
+        with the effect that a new session is created to store the data. This
+        enables workflows requiring an entirely new session, such as in the
+        case of changing privilege levels or preventing fixation attacks.
+        """
 
     def changed():
         """ Mark the session as changed. A user of a session should
-- 
cgit v1.2.3