django-lockout 0.1.1

cached-based Django app that locks out users after too many failed login attempts
django-lockout is a cache-based Django app that locks out users after too many failed login attempts. Because django-lockout tracks login attempts in your site's cache, it is fast and lightweight. django-lockout is intended for Django sites where protection against brute force attacks is desired with no additional database overhead.

django-lockout wraps django.contrib.auth.authenticate and raises lockout.LockedOut when too many login attempts occur. Your views are responsible for catching and handling LockedOut however you deem appropriate. django-lockout's middleware class stores the request object in the thread local namespace to give the wrapped auth.authenticate function access to it.

Login attempts can be tracked by IP only or by IP plus user-agent.

Requirements

django-lockout is designed for Django 1.3. It also works with Django 1.0, 1.1, and 1.2, with the exception of the test suite (which relies on django.test.client.RequestFactory). If you use django-lockout with an earlier version of Django than 1.3, you should not add 'lockout' to your INSTALLED_APPS.

django-lockout requires that you have enabled a cache for your site.

Installation

You can install django-lockout using pip:

pip install django-lockout

or easy_install:

easy_install django-lockout

Add 'lockout.middleware.LockoutMiddleware' to your MIDDLEWARE_CLASSES. It should come before Django's AuthenticationMiddleware:

MIDDLEWARE_CLASSES = [
 'lockout.middleware.LockoutMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 ...
 ]


Adding 'lockout' to your INSTALLED_APPS is only required if you want to run django-lockout's test suite.

Usage


Below is an example of how you might use django-lockout:

try:
 user = auth.authenticate(username=username, password=password)
except LockedOut:
 messages.warning(request, 'Your account has been locked out because of too many failed login attempts.')


If you need to clear the record of failed attempts for an IP or IP plus user-agent, call lockout.reset_attempts, passing the request for that IP or IP plus user-agent:

reset_attempts(request)

Settings

LOCKOUT_MAX_ATTEMPTS
 The maximum number of login attempts before the IP or IP plus user-agent is locked out. Default: 5.
LOCKOUT_TIME
 The number of seconds the IP or IP plus user-agent should be locked out. Default: 600 (10 minutes).
LOCKOUT_ENFORCEMENT_WINDOW

 The number of seconds before the failed login attempts are reset and the IP or IP plus user-agent gets a fresh start. Default: 300 (5 minutes).

 LOCKOUT_ENFORCEMENT_WINDOW affects failed login attempts up to the max allowed, while LOCKOUT_TIME takes effect when the max attempts is reached. For example, with a LOCKOUT_ENFORCEMENT_WINDOW of 5 minutes, suppose a user has a failed login attempt, followed by another failed login attempt 3 minutes later. Both attempts will count toward the maximum. However, if the 5-minute mark (from the first failed attempt) is reached with fewer than the max allowed attempts, the failures will expire and the user will once again be allowed the maximum attempts. If the user exceeds the max within the LOCKOUT_ENFORCEMENT_WINDOW, the user will be locked out for LOCKOUT_TIME seconds.
LOCKOUT_USE_USER_AGENT
 Whether to track failed login attempts by IP plus user-agent, instead of by IP only. Default: False.
LOCKOUT_CACHE_PREFIX
 The prefix for cache keys generated by django-lockout. Default: 'lockout'.

last updated on:
August 31st, 2011, 13:40 GMT
price:
FREE!
developed by:
Brian Jay Stanley
homepage:
pypi.python.org
license type:
MIT/X Consortium License 
category:
ROOT \ Internet \ HTTP (WWW)
django-lockout
Download Button

In a hurry? Add it to your Download Basket!

user rating

UNRATED
0.0/5
 

0/5

Rate it!

Add your review!

SUBMIT