Comment 31 for bug 1394370
Revision history for this message
| Eric Peterson (ericpeterson-l) wrote Re: horizon login page is vulnerable to DOS attack | #31 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
A session record will get written to the DB if you:
- Just access (read from) request.session
- Just access request.user (which underneath, is also accessing request.session)
A good general intro is at http://
The db session backend is forcing a session row to be created at:
https:/
This essentially is saying if we couldn't find any session info, the db backend will generate a session ID for the user and write a row into the DB.
I agree that this in't a great behavior, but it is what I observe in a lot of trial and error tests.
@dstufft - yes, I would think accessing request.user wouldn't create a new session row, but that is not the case. When this code happens:
user_id = request.
Then the session gets created in the db, even though that code will eventually bomb out with a key error for the SESSION_KEY.
I'd encourage others to set this stuff up and try it, how I would think things should work are not how things actually work ;) within django's session middleware.