Comment 1 for bug 1459628

I believe that the root of the problem is this line in django_openstack_auth:
user_id = request.session[auth.SESSION_KEY] (https://github.com/jtopjian/openstack_auth/blob/master/utils.py#L27)
This operations looks valid. But after this moment we have no chances to prevent creation session because django nandles all other stuff.

When DOA tries to get access to the request.session, django creates instance of User object (before this action it is an instance of SimpleLazyObject). After few operations, when django couldn't find session with proveded sessionId, it creates new session: https://github.com/django/django/blob/1.7c3/django/contrib/sessions/backends/db.py#L29

Right now looks like best place to make any changes is this line:
https://github.com/openstack/horizon/blob/stable/kilo/horizon/middleware.py#L93

We need to avoid accessing any request.user fields (to avoid making new instance). Now I'm trying to find a way to check if request created by anonimous user and do not affect other cases.

Also I've contacted with Horizon core developers (Lin Hua Cheng and Eric Peterson). They agreed that this is a different bug and searching a way to handle it too.