Change the default SESSION_ENGINE to use cached sessions

This commit changes the default SESSION_ENGINE to the cached
sessions and the default cached backend to memcached.

The cached sessions with memcahced is our current recommendation, but
we do not use it in our default settings and do not test it in our CI
(horizon-dsvm-tempest-plugin). It is better to use the recommended
configurations in our CI.
The previous default SESSION_ENGINE, the signed cookies, has
a limitation on the length o cookies and using keystone3 can hit this
easily. It is not ready for production for most cases.

For a cache backend, considering multi-process web server deployments,
memcahced is recommended rather than a local memory backend.

Note for developers: If you use "tox -e runserver" for developments,
SESSION_ENGINE = 'django.contrib.sessions.backends.cache' might not
work expectedly. From my testing, I was forced to log-in frequently
when moving pages. If you hit this, my suggestion is to configure
SESSION_ENGINE to django.contrib.sessions.backends.signed_cookies.

Change-Id: I1c4578ec5a7f70a59c6348d76ad0c12956a18573
Closes-Bug: #1736021

openstack_dashboard/local/local_settings.py.example

@@ -153,7 +153,9 @@ SECRET_KEY = secret_key.generate_or_read_from_file(
 
 # We recommend you use memcached for development; otherwise after every reload
 # of the django development server, you will have to login again. To use
-# memcached set CACHES to something like
+# memcached set CACHES to something like below.
+# For more information, see
+# https://docs.djangoproject.com/en/1.11/topics/http/sessions/.
 #CACHES = {
 #    'default': {
 #        'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
@@ -161,12 +163,6 @@ SECRET_KEY = secret_key.generate_or_read_from_file(
 #    },
 #}
 
-CACHES = {
-    'default': {
-        'BACKEND': 'django.core.cache.backends.locmem.LocMemCache',
-    },
-}
-
 # Send email to the console by default
 EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
 # Or send them to /dev/null

openstack_dashboard/settings.py

@@ -198,7 +198,14 @@ AUTHENTICATION_URLS = ['openstack_auth.urls']
 AUTH_USER_MODEL = 'openstack_auth.User'
 MESSAGE_STORAGE = 'django.contrib.messages.storage.fallback.FallbackStorage'
 
-SESSION_ENGINE = 'django.contrib.sessions.backends.signed_cookies'
+SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
+CACHES = {
+    'default': {
+        'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
+        'LOCATION': '127.0.0.1:11211',
+    },
+}
+
 SESSION_COOKIE_HTTPONLY = True
 SESSION_EXPIRE_AT_BROWSER_CLOSE = True
 SESSION_COOKIE_SECURE = False

releasenotes/notes/session-engine-bc6305bfb74a9beb.yaml

@@ -0,0 +1,22 @@
+---
+upgrade:
+  - |
+    The default value of ``SESSION_ENGINE`` is changed to
+    ``django.contrib.sessions.backends.cache``
+    so that a cache-based session backend is used.
+
+    The default cache back-end is set to the memcached backend
+    ``django.core.cache.backends.memcached.MemcachedCache``
+    from the local-memory backend
+    considering multi-process web server deployments.
+
+    They are settings which horizon recommends for a long time
+    but we have not use them by default.
+
+    If your deployment uses the signed-cookies as a session engine,
+    ensure that ``SESSION_ENGINE`` is configured to
+    ``django.contrib.sessions.backends.signed_cookies``
+    before upgrading horizon to Stein release.
+    If your deployment uses the cached session engine and
+    your cache backend depends on horizon default setting,
+    ensure to ``CACHES`` setting to use the local-memory backend.