Comment 11 for bug 978896

(sorry to be slow responding here)

@Thierry: The most serious other issue I discovered was that there are some circumstances in which it is be possible for user data and/or auth to leak from one session to another.

The fix here is to remove the keystone auth from the middleware, and use it as a proper Django auth backend. This means that Horizon uses the same extremely well tested and audited mechanisms that Django uses. It also means that Horizon will get the same security upgrades that Django does, if a bug is discovered in these mechanisms. It also means that we have consistent behavior across alternate session backends.

I'm in the process of testing my patch for this now.