Restrict Django sessions to IP and/or user agent.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for mxsasha from gravatar.com mxsasha

Unverified details

These details have not been verified by PyPI
Project links
Meta
Classifiers

Project description

https://badge.fury.io/py/django-restricted-sessions.png https://travis-ci.org/erikr/django-restricted-sessions.png?branch=master https://coveralls.io/repos/erikr/django-restricted-sessions/badge.png?branch=master&

Restricts Django sessions to IP and/or user agent.

If the IP or user agent changes after creating the session, the a 400 response is given to the request, the session is flushed (all session data deleted, new session created) and a warning is logged. The goal of this middleware is to make it harder for an attacker to use a session ID they obtained. It does not make abuse of session IDs impossible.

For compatibility with IPv6 privacy extensions, by default only the first 64 bits of an IPv6 address are checked.

Documentation

The full documentation is at https://django-restricted-sessions.readthedocs.org.

Quickstart

Install django-restricted-sessions:

pip install django-restricted-sessions

Then add it to your middleware after SessionMiddleware:

MIDDLEWARE_CLASSES = [
    ....
    'django.contrib.sessions.middleware.SessionMiddleware',
    # 'django.contrib.auth.middleware.AuthenticationMiddleware',
    'restrictedsessions.middleware.RestrictedSessionsMiddleware',
    ....
]

When RESTRICTEDSESSIONS_AUTHED_ONLY setting enabled ensure this middleware is added after AuthenticationMiddleware such that the request.user is present.

History

0.2.0 (2017-04-06)

  • For Django 1.10+ support, changed from object to django.utils.deprecation.MiddlewareMixin

  • Added PyPI trove classifiers for Django versions and more Python versions

  • Updated travis.yml for more Python versions

0.1.4 (2016-07-02)

  • Fixed an exception that could occur when non-utf8 bytes were included in user agent strings.

0.1.3.1 (2016-05-26)

  • Version bump to avoid PyPI’s duplicate filename ban.

0.1.3 (2016-05-26)

  • Added support to redirect to known view, or use custom status code settings.

  • Added support for ignoring unauthenticated sessions.

  • Fixed short circuit when REMOTE_ADDR was unknown.

  • Dropped support for older Python versions: now requires 2.7, 3.3 or newer, with Django 1.8.

0.1.2 (2014-03-20)

  • Resolved exception being raised when session switches from IPv4 to IPv6

  • Python 3.4 support

0.1.1 (2014-02-18)

  • Added missing netaddr requirement to setup.py.

0.1.0 (2014-02-17)

  • First release on PyPI.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for mxsasha from gravatar.com mxsasha

Unverified details

These details have not been verified by PyPI
Project links
Meta
Classifiers

Release history Release notifications | RSS feed

0.4.0

0.3.0

This version

0.2.0

0.1.4

0.1.3.1

0.1.2

0.1.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django-restricted-sessions-0.2.0.tar.gz (6.7 kB view details)

Uploaded Source

File details

Details for the file django-restricted-sessions-0.2.0.tar.gz.

File metadata

File hashes

Hashes for django-restricted-sessions-0.2.0.tar.gz
Algorithm Hash digest
SHA256 d75ffd611d038e6a9ad5ce881a94ef94a12efe1d1681f37274b24aee16f83f25
MD5 82a7299c0fa2681cac440ed0d4d1b5e8
BLAKE2b-256 4b1894d86d4f792b4b400ea6986a5406f4c273c457ddbd8bd2f7eddf326d096e

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page