django-lockout cached-based Django app that locks out users after too many failed login attempts
Download

django-lockout Ranking & Summary

django-lockout Tags

Django users locking lock users failed login

django-lockout Description

cached-based Django app that locks out users after too many failed login attempts django-lockout is a cache-based Django app that locks out users after too many failed login attempts. Because django-lockout tracks login attempts in your site's cache, it is fast and lightweight. django-lockout is intended for Django sites where protection against brute force attacks is desired with no additional database overhead.django-lockout wraps django.contrib.auth.authenticate and raises lockout.LockedOut when too many login attempts occur. Your views are responsible for catching and handling LockedOut however you deem appropriate. django-lockout's middleware class stores the request object in the thread local namespace to give the wrapped auth.authenticate function access to it.Login attempts can be tracked by IP only or by IP plus user-agent.Requirementsdjango-lockout is designed for Django 1.3. It also works with Django 1.0, 1.1, and 1.2, with the exception of the test suite (which relies on django.test.client.RequestFactory). If you use django-lockout with an earlier version of Django than 1.3, you should not add 'lockout' to your INSTALLED_APPS.django-lockout requires that you have enabled a cache for your site.InstallationYou can install django-lockout using pip:pip install django-lockoutor easy_install:easy_install django-lockoutAdd 'lockout.middleware.LockoutMiddleware' to your MIDDLEWARE_CLASSES. It should come before Django's AuthenticationMiddleware:MIDDLEWARE_CLASSES = Adding 'lockout' to your INSTALLED_APPS is only required if you want to run django-lockout's test suite.UsageBelow is an example of how you might use django-lockout:try: user = auth.authenticate(username=username, password=password)except LockedOut: messages.warning(request, 'Your account has been locked out because of too many failed login attempts.')If you need to clear the record of failed attempts for an IP or IP plus user-agent, call lockout.reset_attempts, passing the request for that IP or IP plus user-agent:reset_attempts(request)SettingsLOCKOUT_MAX_ATTEMPTS The maximum number of login attempts before the IP or IP plus user-agent is locked out. Default: 5.LOCKOUT_TIME The number of seconds the IP or IP plus user-agent should be locked out. Default: 600 (10 minutes).LOCKOUT_ENFORCEMENT_WINDOW The number of seconds before the failed login attempts are reset and the IP or IP plus user-agent gets a fresh start. Default: 300 (5 minutes). LOCKOUT_ENFORCEMENT_WINDOW affects failed login attempts up to the max allowed, while LOCKOUT_TIME takes effect when the max attempts is reached. For example, with a LOCKOUT_ENFORCEMENT_WINDOW of 5 minutes, suppose a user has a failed login attempt, followed by another failed login attempt 3 minutes later. Both attempts will count toward the maximum. However, if the 5-minute mark (from the first failed attempt) is reached with fewer than the max allowed attempts, the failures will expire and the user will once again be allowed the maximum attempts. If the user exceeds the max within the LOCKOUT_ENFORCEMENT_WINDOW, the user will be locked out for LOCKOUT_TIME seconds.LOCKOUT_USE_USER_AGENT Whether to track failed login attempts by IP plus user-agent, instead of by IP only. Default: False.LOCKOUT_CACHE_PREFIX The prefix for cache keys generated by django-lockout. Default: 'lockout'. Requirements: · Python · Django

django-lockout Related Software