Comment 24 for bug 1394370

Thanks Eric for looking at the code. I promised to try to prepare the Django Auth patch, but couldn't manage to do it, sorry for that. Anyway - the proposed fix with process_response seems much more correct than the django-auth approach, as we might accidentally add some additional processing in another middleware, to check again for something in the session, and clearing the session at process_response seems to be the better way.

In Django, the persistence of SessionID in the Server(DB) is needed if we want to allow anonymous users to store some settings in session and not in cookie(e.g. when editing a comment under a blog - store drafts in the server session while the user is not yet logged in). Since Horizon doesn't allow anonymous users to any action, I think clearing the session is actually recommended. Each time anonymous user logs in the site - they will have unique session id, which is perfectly fine - they don't need anything else.

If someone can help with testing the proposed patch By Eric (https://bugs.launchpad.net/horizon/+bug/1394370/+attachment/4264463/+files/0001-Horizon-login-page-contains-DOS-attack-mechanism.patch) + the last 2 lines with process_response - should be great. I'd try to run few tests, but I'm on a very tight schedule this week.