Comment 14 for bug 1491117

Finally, I've found a way for stable bug reproducing inside development environment.

1. Set token.expiry at /etc/keystone/keystone.conf at devstack to really small value (say, 60 seconds).
2. login as admin
3. wait for a minute
4. refresh the page
5. once logged out, try to login as demo user
6. once you're banned from accessing /admin page...
7. set all the needed breakpoints and login as admin

So far I was able to get into django.contrib.auth.__init__, code

def _get_user_session_key(request):
    # This value in the session is always serialized to a string, so we need
    # to convert it back to Python whenever we access it.
    return get_user_model()._meta.pk.to_python(request.session[SESSION_KEY])

which explained me, why Richard's fix is working. Yet I'm still wondering whether it could be solved in a more elegant way...