django-restricted-sessions

Restrict Django sessions to IP and/or user agent.

These details have not been verified by PyPI

Project links

Homepage

Development Status
- 4 - Beta
Framework
- Django
Intended Audience
- Developers
License
- OSI Approved :: BSD License
Natural Language
- English
Programming Language

Project description

https://badge.fury.io/py/django-restricted-sessions.png

https://travis-ci.org/erikr/django-restricted-sessions.png?branch=master

https://coveralls.io/repos/erikr/django-restricted-sessions/badge.png?branch=master&

Restricts Django sessions to IP and/or user agent.

If the IP or user agent changes after creating the session, the a 400 response is given to the request, the session is flushed (all session data deleted, new session created) and a warning is logged. The goal of this middleware is to make it harder for an attacker to use a session ID they obtained. It does not make abuse of session IDs impossible.

For compatibility with IPv6 privacy extensions, by default only the first 64 bits of an IPv6 address are checked.

Documentation

The full documentation is at https://django-restricted-sessions.readthedocs.org.

Quickstart

Install django-restricted-sessions:

pip install django-restricted-sessions

Then add it to your middleware after SessionMiddleware:

MIDDLEWARE_CLASSES = [
    ....
    'django.contrib.sessions.middleware.SessionMiddleware',
    # 'django.contrib.auth.middleware.AuthenticationMiddleware',
    'restrictedsessions.middleware.RestrictedSessionsMiddleware',
    ....
]

When RESTRICTEDSESSIONS_AUTHED_ONLY setting enabled ensure this middleware is added after AuthenticationMiddleware such that the request.user is present.

History

0.1.3.1 (2016-05-26)

Version bump to avoid PyPI’s duplicate filename ban.

0.1.3 (2016-05-26)

Added support to redirect to known view, or use custom status code settings.
Added support for ignoring unauthenticated sessions.
Fixed short circuit when REMOTE_ADDR was unknown.
Dropped support for older Python versions: now requires 2.7, 3.3 or newer, with Django 1.8.

0.1.2 (2014-03-20)

Resolved exception being raised when session switches from IPv4 to IPv6
Python 3.4 support

0.1.1 (2014-02-18)

Added missing netaddr requirement to setup.py.

0.1.0 (2014-02-17)

First release on PyPI.

Project details

These details have not been verified by PyPI

Project links

Homepage

Development Status
- 4 - Beta
Framework
- Django
Intended Audience
- Developers
License
- OSI Approved :: BSD License
Natural Language
- English
Programming Language

Release history Release notifications | RSS feed

0.4.0

Jun 2, 2023

0.3.0

Dec 3, 2019

0.2.0

Apr 6, 2017

0.1.4

Jul 2, 2016

This version

0.1.3.1

May 26, 2016

0.1.2

Mar 20, 2014

0.1.1

Feb 18, 2014

0.1.0

Feb 17, 2014

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django-restricted-sessions-0.1.3.1.tar.gz (6.3 kB view details)

Uploaded May 26, 2016 Source

File details

Details for the file django-restricted-sessions-0.1.3.1.tar.gz.

File metadata

Download URL: django-restricted-sessions-0.1.3.1.tar.gz
Upload date: May 26, 2016
Size: 6.3 kB
Tags: Source
Uploaded using Trusted Publishing? No

File hashes

Hashes for django-restricted-sessions-0.1.3.1.tar.gz
Algorithm	Hash digest
SHA256	`55b8ebb4cbd0aa3f5cab678c875dcc7f779e88a6c873b90473a25383c2366c08`
MD5	`ec5a89794e1de9336c72498bff0e398c`
BLAKE2b-256	`f457ca0cbbfeff9007cf82ab2030bbc8360d5d6664fb9b4d47872ecdf531a501`