django-lockout is a cache-based Django app that locks out users after too
many failed login attempts. Because
django-lockout tracks login attempts
in your site's cache, it is fast and lightweight. It is intended for Django
sites where protection against brute force attacks is desired with no
additional database overhead.
django.contrib.auth.authenticate and raises
lockout.LockedOut when too many login attempts occur. Your views are
responsible for catching and handling
LockedOut however you deem
django-lockout's middleware class stores the request object
in the thread local namespace to give the wrapped
function access to it.
Login attempts can be tracked by IP only or by IP plus user-agent.
django-lockout requires and has been tested with Django 1.3 and Python
versions 2.4 through 2.7. It should work with earlier versions of Django but
this is untested, as the test suite relies on
django.test.client.RequestFactory. If you use
django-lockout with an
earlier version of Django than 1.3, you should not add
'lockout' to your
INSTALLED_APPS to prevent running the test suite.
django-lockout requires that you have enabled a cache for your site.
You can install
pip install django-lockout
'lockout.middleware.LockoutMiddleware' to your
It should come before Django's
MIDDLEWARE_CLASSES = [ 'lockout.middleware.LockoutMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', ... ]
'lockout' to your
INSTALLED_APPS is only required if you want to
django-lockout's test suite.
Below is an example of how you might use
try: user = auth.authenticate(username=username, password=password) except LockedOut: messages.warning(request, 'Your account has been locked out because of too many failed login attempts.')
If you need to clear the record of failed attempts for an IP or IP plus
lockout.reset_attempts, passing the
request for that
IP or IP plus user-agent:
- The maximum number of login attempts before the IP or IP plus user-agent
is locked out. Default:
- The number of seconds the IP or IP plus user-agent should be locked out.
The number of seconds before the failed login attempts are reset and the IP or IP plus user-agent gets a fresh start. Default:
LOCKOUT_ENFORCEMENT_WINDOWaffects failed login attempts up to the max allowed, while
LOCKOUT_TIMEtakes effect when the max attempts is reached. For example, with a
LOCKOUT_ENFORCEMENT_WINDOWof 5 minutes, suppose a user has a failed login attempt, followed by another failed login attempt 3 minutes later. Both attempts will count toward the maximum. However, if the 5-minute mark (from the first failed attempt) is reached with fewer than the max allowed attempts, the failures will expire and the user will once again be allowed the maximum attempts. If the user exceeds the max within the
LOCKOUT_ENFORCEMENT_WINDOW, the user will be locked out for
- Whether to track failed login attempts by IP plus user-agent, instead of
by IP only. Default:
- The prefix for cache keys generated by