Removing last_activity session flag

This change will simplify horizon session management and lesson
the load on session backends which currently are writing records
with every page request.

Pre-Requisite change: https://review.openstack.org/#/c/179800/

Change-Id: I3ff8ca6b56655c7c68743398fee903d651332867
Closes-bug: #1450914

doc/source/topics/settings.rst

@@ -1112,10 +1112,12 @@ define the policy rules actions are verified against.
 
 .. versionadded:: 2013.2(Havana)
 
-Default: ``"1800"``
+Default: ``"3600"``
+
+This SESSION_TIMEOUT is a method to supercede the token timeout with a shorter
+horizon session timeout (in seconds).  So if your token expires in 60 minutes,
+a value of 1800 will log users out after 30 minutes.
 
-Specifies the timespan in seconds inactivity, until a user is considered as
- logged out.
 
 ``SAHARA_AUTO_IP_ALLOCATION_ENABLED``
 -------------------------------------

horizon/middleware.py

@@ -21,7 +21,6 @@ Middleware provided and used by Horizon.
 
 import json
 import logging
-import time
 
 from django.conf import settings
 from django.contrib.auth import REDIRECT_FIELD_NAME  # noqa
@@ -30,10 +29,8 @@ from django.contrib import messages as django_messages
 from django import http
 from django import shortcuts
 from django.utils.encoding import iri_to_uri  # noqa
-from django.utils import timezone
 from django.utils.translation import ugettext_lazy as _
 
-from openstack_auth import utils as auth_utils
 from openstack_auth import views as auth_views
 import six
 
@@ -49,33 +46,6 @@ class HorizonMiddleware(object):
 
     logout_reason = None
 
-    def _check_has_timed_timeout(self, request):
-        """Check for session timeout and return timestamp."""
-        has_timed_out = False
-        # Activate timezone handling
-        tz = request.session.get('django_timezone')
-        if tz:
-            timezone.activate(tz)
-        try:
-            timeout = settings.SESSION_TIMEOUT
-        except AttributeError:
-            timeout = 1800
-        last_activity = request.session.get('last_activity', None)
-        timestamp = int(time.time())
-        if (
-            hasattr(request, "user")
-            and hasattr(request.user, "token")
-            and not auth_utils.is_token_valid(request.user.token)
-        ):
-            # The user was logged in, but his keystone token expired.
-            has_timed_out = True
-        if isinstance(last_activity, int):
-            if (timestamp - last_activity) > timeout:
-                has_timed_out = True
-            if has_timed_out:
-                request.session.pop('last_activity')
-        return (has_timed_out, timestamp)
-
     def _logout(self, request, login_url=None, message=None):
         """Logout a user and display a logout message."""
         response = auth_views.logout(request, login_url)
@@ -97,11 +67,6 @@ class HorizonMiddleware(object):
             # to avoid creating too many sessions
             return None
 
-        # Check for session timeout if user is (or was) authenticated.
-        has_timed_out, timestamp = self._check_has_timed_timeout(request)
-        if has_timed_out:
-            return self._logout(request, request.path, _("Session timed out."))
-
         if request.is_ajax():
             # if the request is Ajax we do not want to proceed, as clients can
             #  1) create pages with constant polling, which can create race
@@ -140,8 +105,6 @@ class HorizonMiddleware(object):
                             'max_cookie_size': max_cookie_size,
                         }
                     )
-        # We have a valid session, so we set the timestamp
-        request.session['last_activity'] = timestamp
 
     def process_exception(self, request, exception):
         """Catches internal Horizon exception classes such as NotAuthorized,

horizon/test/tests/middleware.py

@@ -13,8 +13,6 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-import time
-
 from django.conf import settings
 
 from django.http import HttpResponseRedirect  # noqa
@@ -35,19 +33,6 @@ class MiddlewareTests(test.TestCase):
 
         self.assertRedirects(resp, url)
 
-    def test_session_timeout(self):
-        requested_url = '/project/instances/'
-        request = self.factory.get(requested_url)
-        try:
-            timeout = settings.SESSION_TIMEOUT
-        except AttributeError:
-            timeout = 1800
-        request.session['last_activity'] = int(time.time()) - (timeout + 10)
-        mw = middleware.HorizonMiddleware()
-        resp = mw.process_request(request)
-        self.assertEqual(302, resp.status_code)
-        self.assertEqual(requested_url, resp.get('Location'))
-
     def test_process_response_redirect_on_ajax_request(self):
         url = settings.LOGIN_URL
         mw = middleware.HorizonMiddleware()

openstack_dashboard/settings.py

@@ -179,13 +179,11 @@ SESSION_ENGINE = 'django.contrib.sessions.backends.signed_cookies'
 SESSION_COOKIE_HTTPONLY = True
 SESSION_EXPIRE_AT_BROWSER_CLOSE = True
 SESSION_COOKIE_SECURE = False
-SESSION_TIMEOUT = 1800
-# A token can be near the end of validity when a page starts loading, and
-# invalid during the rendering which can cause errors when a page load.
-# TOKEN_TIMEOUT_MARGIN defines a time in seconds we retrieve from token
-# validity to avoid this issue. You can adjust this time depending on the
-# performance of the infrastructure.
-TOKEN_TIMEOUT_MARGIN = 10
+
+# SESSION_TIMEOUT is a method to supercede the token timeout with a shorter
+# horizon session timeout (in seconds).  So if your token expires in 60
+# minutes, a value of 1800 will log users out after 30 minutes
+SESSION_TIMEOUT = 3600
 
 # When using cookie-based sessions, log error when the session cookie exceeds
 # the following size (common browsers drop cookies above a certain size):