Horizon login page contains DOS attack mechanism

the horizon login page (and middleware) accesses the session too early in the login process, which will create session records in the session backend. This is especially problematic when non-cookie backends are used. Co-Authored-By: Tihomir Trifonov <t.trifonov@gmail.com> Co-Authored-By: Eric Peterson <eric.peterson1@twcable.com> Change-Id: I9a4999eb5f053515575ef09b8ba9d3bb3f114e5c Closes-Bug: 1394370
2014-12-08 16:38:26 -07:00 · 2014-12-08 16:38:26 -07:00 · e676c88a32
parent 7c5f759473
commit e676c88a32
1 changed files with 0 additions and 1 deletions
--- a/openstack_auth/forms.py
+++ b/openstack_auth/forms.py
@ -98,7 +98,6 @@ class Login(django_auth_forms.AuthenticationForm):
            msg = 'Login failed for user "%(username)s".' % \
                {'username': username}
            LOG.warning(msg)
-            self.request.session.flush()
            raise forms.ValidationError(exc)
        if hasattr(self, 'check_for_test_cookie'):  # Dropped in django 1.7
            self.check_for_test_cookie()