Comment 22 for bug 1394370
Revision history for this message
| Eric Peterson (ericpeterson-l) wrote Re: horizon login page is vulnerable to DOS attack | #22 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
I have not found a way to make changes in the auth package that prevent session creation. As soon as a user is looked up (even an Anonymous user), a session record is created.
However, I have found an additional change in the horizon middleware can help. This change is needed in process_response, at the end of the method. This means it is one of the last things called. The code to add is:
if not request.
For a db backed session, this calls:
https:/
I am not sure how this works with the signed cookie base sessions, or even in the memcached sessions. Would this be an acceptable approach?