According to the login
source code:
def login(request, user):
"""
Persist a user id and a backend in the request. This way a user doesn't
have to reauthenticate on every request. Note that data set during
the anonymous session is retained when the user logs in.
"""
So, if you set something in the anonymous request.session
it will be there after logging in.
login
flushes the session only if the existing session corresponds to a different authenticated user
.
logout
always flushes the session (source code).
Hope that helps.