clear session identifier on logout (#404)

* clear session identifier on logout

* self is login_manager

* fix pep8

flask_login/login_manager.py

@@ -169,7 +169,7 @@ def unauthorized(self):
         config = current_app.config
         if config.get('USE_SESSION_FOR_NEXT', USE_SESSION_FOR_NEXT):
             login_url = expand_login_view(login_view)
-            session['_id'] = current_app.login_manager._session_identifier_generator()
+            session['_id'] = self._session_identifier_generator()
             session['next'] = make_next_param(login_url, request.url)
             redirect_url = make_login_url(login_view)
         else:
@@ -282,7 +282,7 @@ def needs_refresh(self):
         config = current_app.config
         if config.get('USE_SESSION_FOR_NEXT', USE_SESSION_FOR_NEXT):
             login_url = expand_login_view(self.refresh_view)
-            session['_id'] = current_app.login_manager._session_identifier_generator()
+            session['_id'] = self._session_identifier_generator()
             session['next'] = make_next_param(login_url, request.url)
             redirect_url = make_login_url(self.refresh_view)
         else:

flask_login/utils.py

@@ -195,6 +195,9 @@ def logout_user():
     if '_fresh' in session:
         session.pop('_fresh')
 
+    if '_id' in session:
+        session.pop('_id')
+
     cookie_name = current_app.config.get('REMEMBER_COOKIE_NAME', COOKIE_NAME)
     if cookie_name in request.cookies:
         session['remember'] = 'clear'

test_login.py

@@ -518,7 +518,7 @@ def login():
                              'http://localhost/login')
             self.assertEqual(c.get('/login').data.decode('utf-8'), '/secret')
 
-    def test_unauthorized_with_next_in_strong_session_where_current_user_is_called(self):
+    def test_unauthorized_with_next_in_strong_session(self):
         self.login_manager.login_view = 'login'
         self.app.config['SESSION_PROTECTION'] = 'strong'
         self.app.config['USE_SESSION_FOR_NEXT'] = True