django-restricted-sessions

Restricts Django sessions to IP and/or user agent.

If the IP or user agent changes after creating the session, the a 400 response is given to the request, the session is flushed (all session data deleted, new session created) and a warning is logged. The goal of this middleware is to make it harder for an attacker to use a session ID they obtained. It does not make abuse of session IDs impossible.

For compatibility with IPv6 privacy extensions, by default only the first 64 bits of an IPv6 address are checked.

Documentation

The full documentation is at https://django-restricted-sessions.readthedocs.org.

Quickstart

Install django-restricted-sessions:

pip install django-restricted-sessions

Then add it to your middleware after SessionMiddleware:

MIDDLEWARE = [
    "django.middleware.security.SecurityMiddleware",
    "django.contrib.sessions.middleware.SessionMiddleware",
    'restrictedsessions.middleware.RestrictedSessionsMiddleware',
    ....
]

If you use RESTRICTEDSESSIONS_AUTHED_ONLY, ensure this middleware is added after AuthenticationMiddleware so that the request.user is present.

Name		Name	Last commit message	Last commit date
Latest commit History 41 Commits
.github/workflows		.github/workflows
docs		docs
restrictedsessions		restrictedsessions
tests		tests
.gitignore		.gitignore
AUTHORS.rst		AUTHORS.rst
CONTRIBUTING.rst		CONTRIBUTING.rst
HISTORY.rst		HISTORY.rst
LICENSE		LICENSE
MANIFEST.in		MANIFEST.in
Makefile		Makefile
README.rst		README.rst
requirements-test.txt		requirements-test.txt
requirements.txt		requirements.txt
runtests.py		runtests.py
setup.cfg		setup.cfg
setup.py		setup.py
test_urls.py		test_urls.py

License

mxsasha/django-restricted-sessions

Folders and files

Latest commit

History

Repository files navigation

django-restricted-sessions

Documentation

Quickstart

About

Resources

License

Stars

Watchers

Forks

Languages