So .flush() should be replaced with .delete(session_key), as in 1.6 it calls .create() and in 1.7 .clear() sets self.modified = True, but we don't have anything in session anyway.
My assumption is that Django wants to persist session, as by default websites might need to store user settings for anonymous users. Also, the sessionId is persisted for security reasons - since the session_key value is primary key in the Database, you cannot create duplicate sessionIds. Otherwise - if one user logs in and is assigned sessionId=123, then another user plays as anonymous, but for some reason the server assigns the same sessionId(possible in web farms) - they will be able to see the same as the logged-in user.
But Horizon doesn't actually need that. It doesn't offer anything to anonymous users. So Django should be probably able to handle the case with no anonymous sessions in DB as a general use case.
One minor drawback of the patch is that after a logout, a new session id is associated to the user, and it remains in the DB. But this should be generally OK for handling. To clear it - we still need the cleanup middleware.
The patch issues .delete() in django_openstack_auth, which works in 1.6 and 1.7 - no database rows added. And we can add the latest patch from Eric for horizon, as it makes things simple.
The latest patch is still vulnerable, just make
csrf=$(curl https:/ /dashboard | grep csrfmiddlewaret oken-match- pattern)
Then run this request:
curl -i https:/ /dashboard/ auth/login/ -d "csrfmiddleware token=$ csrf®ion=http:// dashboard: 5000/v2. 0&username= fake&password= fake" -b csrftoken=$csrf
You can repeat the request as many times as you want. Each run will add new row in DB.
But I think mystery is finally revealed:
First this: /github. com/openstack/ django_ openstack_ auth/blob/ 455aaeab8d16fbe cebe9a088e10e0e 532a3116cb/ openstack_ auth/forms. py#L101
https:/
and then that: /github. com/django/ django/ blob/master/ django/ contrib/ sessions/ backends/ base.py# L276
Django 1.7:
https:/
Django 1.6 (Ouch): /github. com/django/ django/ blob/stable/ 1.6.x/django/ contrib/ sessions/ backends/ base.py
https:/
So .flush() should be replaced with .delete( session_ key), as in 1.6 it calls .create() and in 1.7 .clear() sets self.modified = True, but we don't have anything in session anyway.
My assumption is that Django wants to persist session, as by default websites might need to store user settings for anonymous users. Also, the sessionId is persisted for security reasons - since the session_key value is primary key in the Database, you cannot create duplicate sessionIds. Otherwise - if one user logs in and is assigned sessionId=123, then another user plays as anonymous, but for some reason the server assigns the same sessionId(possible in web farms) - they will be able to see the same as the logged-in user.
But Horizon doesn't actually need that. It doesn't offer anything to anonymous users. So Django should be probably able to handle the case with no anonymous sessions in DB as a general use case.
One minor drawback of the patch is that after a logout, a new session id is associated to the user, and it remains in the DB. But this should be generally OK for handling. To clear it - we still need the cleanup middleware.
The patch issues .delete() in django_ openstack_ auth, which works in 1.6 and 1.7 - no database rows added. And we can add the latest patch from Eric for horizon, as it makes things simple.