From e8a66a4d92ae259a5ef004cafad1809942c66596 Mon Sep 17 00:00:00 2001
From: eric <eric.peterson1@twcable.com>
Date: Thu, 20 Nov 2014 08:49:09 -0700
Subject: [PATCH] Horizon login page contains DOS attack mechanism

the horizon login page (really the middleware) accesses the session
too early in the login process, which will create session records
in the session backend.  This is especially problematic when non-cookie
backends are used.

Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71
Closes-Bug: 1394370
---
 horizon/middleware.py        | 10 ++++++----
 openstack_dashboard/views.py |  5 ++---
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/horizon/middleware.py b/horizon/middleware.py
index a0d9c3d3da..885489e5c5 100644
--- a/horizon/middleware.py
+++ b/horizon/middleware.py
@@ -90,16 +90,18 @@ class HorizonMiddleware(object):
         request.horizon = {'dashboard': None,
                            'panel': None,
                            'async_messages': []}
+        if not hasattr(request, "user") or not request.user.is_authenticated():
+            # proceed no further if the current request is already known
+            # not to be authenticated
+            # it is CRITICAL to perform this check as early as possible
+            # to avoid creating too many sessions
+            return None
 
         # Check for session timeout if user is (or was) authenticated.
         has_timed_out, timestamp = self._check_has_timed_timeout(request)
         if has_timed_out:
             return self._logout(request, request.path, _("Session timed out."))
 
-        if not hasattr(request, "user") or not request.user.is_authenticated():
-            # proceed no further if the current request is already known
-            # not to be authenticated
-            return None
         if request.is_ajax():
             # if the request is Ajax we do not want to proceed, as clients can
             #  1) create pages with constant polling, which can create race
diff --git a/openstack_dashboard/views.py b/openstack_dashboard/views.py
index 4ce55ffdc0..0473279f59 100644
--- a/openstack_dashboard/views.py
+++ b/openstack_dashboard/views.py
@@ -41,8 +41,7 @@ def splash(request):
         response = shortcuts.redirect(horizon.get_user_home(request.user))
     else:
         form = forms.Login(request)
-        request.session.clear()
-        request.session.set_test_cookie()
         response = shortcuts.render(request, 'splash.html', {'form': form})
-    response.delete_cookie('logout_reason')
+    if 'logout_reason' in request.COOKIES:
+        response.delete_cookie('logout_reason')
     return response