Skip to main content

cache-based Django app that locks out users after too many failed login attempts.

Project description

django-lockout is a cache-based Django app that locks out users after too many failed login attempts. Because django-lockout tracks login attempts in your site’s cache, it is fast and lightweight. It is intended for Django sites where protection against brute force attacks is desired with no additional database overhead.

django-lockout wraps django.contrib.auth.authenticate and raises lockout.LockedOut when too many login attempts occur. Your views are responsible for catching and handling LockedOut however you deem appropriate. django-lockout’s middleware class stores the request object in the thread local namespace to give the wrapped auth.authenticate function access to it.

Login attempts can be tracked by IP only or by IP plus user-agent.

Requirements

django-lockout is designed for Django 1.3. It also works with Django 1.0, 1.1, and 1.2, with the exception of the test suite (which relies on django.test.client.RequestFactory). If you use django-lockout with an earlier version of Django than 1.3, you should not add 'lockout' to your INSTALLED_APPS.

django-lockout requires that you have enabled a cache for your site.

Installation

You can install django-lockout with:

pip install django-lockout

or:

easy_install django-lockout

Add 'lockout.middleware.LockoutMiddleware' to your MIDDLEWARE_CLASSES. It should come before Django’s AuthenticationMiddleware:

MIDDLEWARE_CLASSES = [
    'lockout.middleware.LockoutMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    ...
    ]

Adding 'lockout' to your INSTALLED_APPS is only required if you want to run django-lockout’s test suite.

Usage

Below is an example of how you might use django-lockout:

try:
    user = auth.authenticate(username=username, password=password)
except LockedOut:
    messages.warning(request, 'Your account has been locked out because of too many failed login attempts.')

If you need to clear the record of failed attempts for an IP or IP plus user-agent, call lockout.reset_attempts, passing the request for that IP or IP plus user-agent:

reset_attempts(request)

Settings

LOCKOUT_MAX_ATTEMPTS

The maximum number of login attempts before the IP or IP plus user-agent is locked out. Default: 5.

LOCKOUT_TIME

The number of seconds the IP or IP plus user-agent should be locked out. Default: 600 (10 minutes).

LOCKOUT_ENFORCEMENT_WINDOW

The number of seconds before the failed login attempts are reset and the IP or IP plus user-agent gets a fresh start. Default: 300 (5 minutes).

LOCKOUT_ENFORCEMENT_WINDOW affects failed login attempts up to the max allowed, while LOCKOUT_TIME takes effect when the max attempts is reached. For example, with a LOCKOUT_ENFORCEMENT_WINDOW of 5 minutes, suppose a user has a failed login attempt, followed by another failed login attempt 3 minutes later. Both attempts will count toward the maximum. However, if the 5-minute mark (from the first failed attempt) is reached with fewer than the max allowed attempts, the failures will expire and the user will once again be allowed the maximum attempts. If the user exceeds the max within the LOCKOUT_ENFORCEMENT_WINDOW, the user will be locked out for LOCKOUT_TIME seconds.

LOCKOUT_USE_USER_AGENT

Whether to track failed login attempts by IP plus user-agent, instead of by IP only. Default: False.

LOCKOUT_CACHE_PREFIX

The prefix for cache keys generated by django-lockout. Default: 'lockout'.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django-lockout-0.1.1.zip (13.7 kB view details)

Uploaded Source

File details

Details for the file django-lockout-0.1.1.zip.

File metadata

  • Download URL: django-lockout-0.1.1.zip
  • Upload date:
  • Size: 13.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No

File hashes

Hashes for django-lockout-0.1.1.zip
Algorithm Hash digest
SHA256 b96292167f84448f1b9d19f6d0f1f267ffb43f01d98b8b6745eb534d9ae01081
MD5 6e12ca4e86e6117d95cf10ba5b25a3a3
BLAKE2b-256 7feb853cfa901b6296f9438fe8d9d93663bcab892ca5d0931704829435c3e5c9

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page