Oh, and BTW, what *is* the official way to expire a session?  I did a
"del get_session_manager()[request.session.id]" (I mean, why else would it
provide a __delitem__?) and wondered why it kept coming back before I realized
I needed to satisfy is_empty() for it to revoke the cookie.  So now I do
"session.user = session.actual_user = None" (yeah, I know, supposed to use the
setters for that), but that seems too low-level, even though it works.