People ran into problems because we started invalidating the session on logout in 2.9.2. They expect certain session attributes like the seraph LOGGED_OUT_KEY to be present.

This means we need to remove all session attributes except some special attributes like the seraph ones. The other option would be to only remove critical attributes like the users history from the session and leave it untouched otherwise. But I would rather go for the first approach, and remove as much data from the session as possible to avoid privacy issue created by future code.