From 2e7cc018fe109fa6aca6c8c8156eaa5864696d67 Mon Sep 17 00:00:00 2001
From: eric <eric.peterson1@twcable.com>
Date: Thu, 20 Nov 2014 08:49:09 -0700
Subject: [PATCH] Horizon login page contains DOS attack mechanism

the horizon login page (really the middleware) accesses the session
too early in the login process, which will create session records
in the session backend.  This is especially problematic when non-cookie
backends are used.

Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71
Closes-Bug: 1394370
---
 horizon/middleware.py            | 10 ++++++----
 horizon/test/tests/middleware.py |  1 +
 openstack_dashboard/views.py     |  5 ++---
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/horizon/middleware.py b/horizon/middleware.py
index a0d9c3d..885489e 100644
--- a/horizon/middleware.py
+++ b/horizon/middleware.py
@@ -90,16 +90,18 @@ class HorizonMiddleware(object):
         request.horizon = {'dashboard': None,
                            'panel': None,
                            'async_messages': []}
+        if not hasattr(request, "user") or not request.user.is_authenticated():
+            # proceed no further if the current request is already known
+            # not to be authenticated
+            # it is CRITICAL to perform this check as early as possible
+            # to avoid creating too many sessions
+            return None
 
         # Check for session timeout if user is (or was) authenticated.
         has_timed_out, timestamp = self._check_has_timed_timeout(request)
         if has_timed_out:
             return self._logout(request, request.path, _("Session timed out."))
 
-        if not hasattr(request, "user") or not request.user.is_authenticated():
-            # proceed no further if the current request is already known
-            # not to be authenticated
-            return None
         if request.is_ajax():
             # if the request is Ajax we do not want to proceed, as clients can
             #  1) create pages with constant polling, which can create race
diff --git a/horizon/test/tests/middleware.py b/horizon/test/tests/middleware.py
index 617351f..f17a155 100644
--- a/horizon/test/tests/middleware.py
+++ b/horizon/test/tests/middleware.py
@@ -42,6 +42,7 @@ class MiddlewareTests(test.TestCase):
             timeout = settings.SESSION_TIMEOUT
         except AttributeError:
             timeout = 1800
+        request.COOKIES[settings.SESSION_COOKIE_NAME] = "sessionIdABC"
         request.session['last_activity'] = int(time.time()) - (timeout + 10)
         mw = middleware.HorizonMiddleware()
         resp = mw.process_request(request)
diff --git a/openstack_dashboard/views.py b/openstack_dashboard/views.py
index 4ce55ff..0473279 100644
--- a/openstack_dashboard/views.py
+++ b/openstack_dashboard/views.py
@@ -41,8 +41,7 @@ def splash(request):
         response = shortcuts.redirect(horizon.get_user_home(request.user))
     else:
         form = forms.Login(request)
-        request.session.clear()
-        request.session.set_test_cookie()
         response = shortcuts.render(request, 'splash.html', {'form': form})
-    response.delete_cookie('logout_reason')
+    if 'logout_reason' in request.COOKIES:
+        response.delete_cookie('logout_reason')
     return response
-- 
1.9.1