fix: backport CVE-2026-35192 fix from Django 5.2

[jennifer-richards]

CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST

Patch from django/django@47cf968

Verified that Django's new tests pass after patching 4.2.30.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.49%. Comparing base (473bbb2) to head (b6ce684).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #10850   +/-   ##
=======================================
  Coverage   88.49%   88.49%           
=======================================
  Files         332      332           
  Lines       44851    44858    +7     
=======================================
+ Hits        39690    39697    +7     
  Misses       5161     5161           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.