Skip to main content

cache-based Django app that locks out users after too many failed login attempts.

Project description

django-lockout is a cache-based Django app that locks out users after too many failed login attempts. Because django-lockout tracks login attempts in your site’s cache, it is fast and lightweight. It is intended for Django sites where protection against brute force attacks is desired with no additional database overhead.

django-lockout wraps django.contrib.auth.authenticate and raises lockout.LockedOut when too many login attempts occur. Your views are responsible for catching and handling LockedOut however you deem appropriate. django-lockout’s middleware class stores the request object in the thread local namespace to give the wrapped auth.authenticate function access to it.

Login attempts can be tracked by IP only or by IP plus user-agent.


django-lockout is designed for Django 1.3. It also works with Django 1.0, 1.1, and 1.2, with the exception of the test suite (which relies on django.test.client.RequestFactory). If you use django-lockout with an earlier version of Django than 1.3, you should not add 'lockout' to your INSTALLED_APPS.

django-lockout requires that you have enabled a cache for your site.


You can install django-lockout with:

pip install django-lockout


easy_install django-lockout

Add 'lockout.middleware.LockoutMiddleware' to your MIDDLEWARE_CLASSES. It should come before Django’s AuthenticationMiddleware:


Adding 'lockout' to your INSTALLED_APPS is only required if you want to run django-lockout’s test suite.


Below is an example of how you might use django-lockout:

    user = auth.authenticate(username=username, password=password)
except LockedOut:
    messages.warning(request, 'Your account has been locked out because of too many failed login attempts.')

If you need to clear the record of failed attempts for an IP or IP plus user-agent, call lockout.reset_attempts, passing the request for that IP or IP plus user-agent:




The maximum number of login attempts before the IP or IP plus user-agent is locked out. Default: 5.


The number of seconds the IP or IP plus user-agent should be locked out. Default: 600 (10 minutes).


The number of seconds before the failed login attempts are reset and the IP or IP plus user-agent gets a fresh start. Default: 300 (5 minutes).

LOCKOUT_ENFORCEMENT_WINDOW affects failed login attempts up to the max allowed, while LOCKOUT_TIME takes effect when the max attempts is reached. For example, with a LOCKOUT_ENFORCEMENT_WINDOW of 5 minutes, suppose a user has a failed login attempt, followed by another failed login attempt 3 minutes later. Both attempts will count toward the maximum. However, if the 5-minute mark (from the first failed attempt) is reached with fewer than the max allowed attempts, the failures will expire and the user will once again be allowed the maximum attempts. If the user exceeds the max within the LOCKOUT_ENFORCEMENT_WINDOW, the user will be locked out for LOCKOUT_TIME seconds.


Whether to track failed login attempts by IP plus user-agent, instead of by IP only. Default: False.


The prefix for cache keys generated by django-lockout. Default: 'lockout'.

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution (13.7 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page