if settings.SESSION_COOKIE_NAME in request.COOKIES:
an attacker can easily set some fake cookie with the specified name, and will go through the session.create() anyway.
Regarding the get_user monkey patch - since we use external auth system(Keystone), we can't use the Django UserId, so we need to store Keystone User Id and SessionBackend in session, to create user from it.
One possible solution is to clean the session on line 59:
But this way - although we will keep clear the database, we might end up with DOS vulnerability for the CREATE-DELETE DB requests on each anonymous request.
Another way is to monkey patch the load() method of SessionStore to avoid creation of a new session, since we do not use the session for anonymous requests.
With the added check for:
if settings. SESSION_ COOKIE_ NAME in request.COOKIES:
an attacker can easily set some fake cookie with the specified name, and will go through the session.create() anyway.
Regarding the get_user monkey patch - since we use external auth system(Keystone), we can't use the Django UserId, so we need to store Keystone User Id and SessionBackend in session, to create user from it.
One possible solution is to clean the session on line 59:
https:/ /github. com/openstack/ django_ openstack_ auth/blob/ master/ openstack_ auth/utils. py#L59
But this way - although we will keep clear the database, we might end up with DOS vulnerability for the CREATE-DELETE DB requests on each anonymous request.
Another way is to monkey patch the load() method of SessionStore to avoid creation of a new session, since we do not use the session for anonymous requests.