Python Django-会话持续多长时间(如果用户关闭并重新打开浏览器)
我正在尝试设置用户可以尝试密码的次数。目前我想在会话中存储他/她可以尝试密码的次数和惩罚时间 问题是用户关闭浏览器或更改其他IP地址是否会影响会话 例如,如果用户有5分钟的惩罚时间,这可以通过两个datetime实例减法>5来完成,那么让用户重试5次。如果用户同时关闭并重新打开浏览器,会话是否会丢失 在用户登录之前进行检查:Python Django-会话持续多长时间(如果用户关闭并重新打开浏览器),python,django,session,Python,Django,Session,我正在尝试设置用户可以尝试密码的次数。目前我想在会话中存储他/她可以尝试密码的次数和惩罚时间 问题是用户关闭浏览器或更改其他IP地址是否会影响会话 例如,如果用户有5分钟的惩罚时间,这可以通过两个datetime实例减法>5来完成,那么让用户重试5次。如果用户同时关闭并重新打开浏览器,会话是否会丢失 在用户登录之前进行检查: ##############SESSION BASED################## #Initialize tries, to be used later on t
##############SESSION BASED##################
#Initialize tries, to be used later on
tries = "0"
try:
tries = request.session['tries']
except:
pass
#If tries > 5 times
if(int(tries) >= 5):
timeNow = request.session['locked_time']
timeDifferenceSeconds = (datetime.datetime.now() - datetime.datetime.strptime(timeNow, "%Y-%m-%d %H:%M:%S.%f")).total_seconds()
#See if the difference is greater than 15 minutes, otherwise lock
if(timeDifferenceSeconds > 900):
request.session['tries'] = str(0)
logger.info("User:" + str(username) + " is unlocked");
else:
logger.info("User:" + str(username) + " is currently locked");
logger.info("User:" + str(username) + " returning Locked");
return HttpResponse("Locked")
##############SESSION BASED##################
用户获得无效登录后:
##############SESSION BASED##################
#if the user fails in providing the correct username/password, increment tries
try:
tries = request.session['tries']
num = int(tries)
num += 1
tries = str(num)
request.session['tries'] = str(tries)
except:
tries = 0
request.session['tries'] = str(tries)
#If tries > 5, then we will lock
if(int(tries) >= 5):
logger.info("User:" + str(username) + " is not valid, current tries:" + str(tries) + " and will be locked");
request.session['locked_time'] = str(datetime.datetime.now())
logger.info("User:" + str(username) + " returning Locked");
return HttpResponse("Locked")
else:
logger.info("User:" + str(username) + " is not valid, current tries:" + str(tries));
logger.info("User:" + str(username) + " returning Invalid");
return HttpResponse("Invalid")
##############SESSION BASED##################
目前我没有更改会话\u COOKIE\u年龄,因此当前默认为2周
更新:
使用了IP和用户标志的组合,还没有测试过,希望能正常工作
在用户登录之前,请检查:
如果他们的IP地址在可疑表中,如果帐户超过10个,则他们无法登录
检查尝试次数,如果超过5次,则我们将其锁定15分钟,将其违规次数乘以超过5次尝试的次数
代码:
如果他们的登录无效:
增量尝试,如果尝试次数>5,则它们被锁定,在dateTime上测试其锁定的时间将发生在登录之前
如果他们有5个以上的违规行为,那么该帐户将被锁定,直到用户通过点击发送到美国的自动生成的电子邮件中的链接将其解锁
代码:
使用的其他型号:
class blockedList(models.Model):
username = models.CharField(max_length=200, primary_key=True)
realIP = models.CharField(max_length=200)
IP = models.CharField(max_length=200)
dateTime = models.CharField(max_length=200)
tries = models.IntegerField()
violations = models.IntegerField()
lockedTemp = models.CharField(max_length=200)
class suspicousIP(models.Model):
IP = models.CharField(max_length=200, primary_key=True)
count = models.IntegerField()
正如您在问题中所提到的,Django中的会话将一直有效,只要会话\u COOKIE\u AGE确定从上次访问该会话起的默认值为2周 有两个例外: 您可以自己设置会话的到期时间,然后视情况而定 在那上面。 浏览器关闭时的设置会话\u EXPIRE\u被手动设置为True。在这种情况下,每次用户关闭浏览器时,会话都会被清除 <>但是了解会话ID存储在客户端的Cookie中是非常重要的,因此用户很容易删除它的cookie,然后Django服务器会考虑这是一个新的会话。 实现所需功能的另一种方法是在用户上保存此数据,这意味着如果在几次错误尝试以用户身份登录后user@example.com,您可以在X分钟内将该用户名标记为禁止。您需要一个不同的数据库表来保存这些信息和您自己的逻辑。我目前还不知道有哪个应用程序能做到这一点,但快速搜索可能会证明我错了
这样,即使用户清除了会话,服务器也不允许用户登录。默认情况下,会话存储在客户端。用户可以在浏览器中删除会话清理cookies。另一种方法:谢谢你的回答。我认为我最好的办法是保存客户的IP,并禁止X分钟。此外,如果此违规行为发生超过Y次,在Z分钟内连续3次被禁止,则锁定帐户并发送解锁电子邮件。如果您担心有人试图入侵特定帐户,则他可以更改IP地址。所以我想这还不够。如果某人只是试图访问任何帐户,那么你需要一个IPS/IDS机制来检测这种行为,而这要复杂得多。我认为IDS目前是一种过激行为。在X尝试后,直到真正的用户转到他/她的邮件并单击解锁邮件,才永久锁定帐户难道不足够吗?想想看,由于用户一直被锁定,不断的攻击可能会非常恼人。我同意IPS/ID完全是杀伤力过大。但问题是,如果有人试图闯入某个帐户,仅标记客户端IP是不够的。黑客会找到一种方法轻松绕过它。我认为标记用户名是更好的方法
#See if the user's remember me is checked, if it is not checked, then
#the session cookie will automatically expire when the browser closes
if(rememberMe == "true"):
request.session.set_expiry(86400)
logger.info("User:" + str(username) + " has set their expiration to 1 day")
else:
request.session.set_expiry(0)
logger.info("User:" + str(username) + " has set their expiration to expire when browser closes")
#See if the user is marked in blockedList, if true, then delete their row
try:
userObject = blockedList.objects.get(pk=username)
userObject.delete()
logger.info("User:" + str(username) + " is in blockedList, removing their entry")
except:
logger.info("User:" + str(username) + " is NOT in blockedList")
pass
#See if the user's real IP is marked in suspicious IP, if true, then remove their entry
try:
suspiciousIP = suspicousIP.objects.get(pk=realIP)
suspiciousIP.delete()
logger.info("User:" + str(username) + " is in suspicious real IP, removing their entry")
except:
pass
#See if the user's IP is marked in suspicious IP, if true, then remove their entry
try:
suspiciousIP = suspicousIP.objects.get(pk=IP)
suspiciousIP.delete()
logger.info("User:" + str(username) + " is in suspicious IP, removing their entry")
except:
pass
##############USER BASED AUTHENTICATION SYSTEM#####################
try:
#Get their current object, if exists, and increase their tries
userObject = blockedList.objects.get(pk=username)
userObject.tries += 1
#If their tries >= 5, then lock them temporary, and increase violation
if(userObject.tries >= 5):
logger.info("User:" + str(username) + " is not valid, current tries:" + str(userObject.tries) + " and will be locked");
userObject.violation += 1
userObject.dateTime = str(dateTime.dateTime.now())
#If violation >= 5, then we will tempLock, and can only be unlocked by email
if(userObject.violation >= 5):
logger.info("User:" + str(username) + " is not valid, will get TempLocked");
userObject.lockedTemp = "True"
userObject.save()
#Get their suspicious Real IPs, and increase them, or make a new one
try:
suspiciousIP = suspicousIP.objects.get(pk=realIP)
suspiciousIP.count += 1
suspiciousIP.save()
logger.info("User:" + str(username) + " has a suspeciousIP:" + str(suspiciousIP) + " current count:" + str(suspiciousIP.count));
except:
if realIP is not None:
newSuspiciousIP = suspicousIP(IP = realIP)
newSuspiciousIP.save()
logger.info("User:" + str(username) + " has a new suspeciousIP:" + str(realIP));
#Get their suspicious IPs, and increase them, or make a new one
try:
suspiciousIP = suspicousIP.objects.get(pk=IP)
suspiciousIP.count += 1
suspiciousIP.save()
logger.info("User:" + str(username) + " has a suspeciousIP:" + str(suspiciousIP) + " current count:" + str(suspiciousIP.count));
except:
if IP is not None:
newSuspiciousIP = suspicousIP(IP = IP)
newSuspiciousIP.save()
logger.info("User:" + str(username) + " has a new suspeciousIP:" + str(IP));
logger.info("User:" + str(username) + " returning tempLock");
logger.info("User:" + str(username) + " returning tempLock");
return HttpResponse("tempLock")
userObject.save()
logger.info("User:" + str(username) + " returning Locked");
return HttpResponse("Locked")
except:
newUsername = username
newRealIP = realIP
newIP = IP
newDateTime = ""
newTries = 1
newViolations = 0
newLockedTemp = "False"
newUserObject = blockedList(username=newUsername, realIP=newRealIP, IP = newIP,
dateTime = newDateTime, tries = newTries, violations = newViolations,
lockedTemp = newLockedTemp)
newUserObject.save()
logger.info("User:" + str(username) + " returning Invalid");
return HttpResponse("Invalid")
##############USER BASED AUTHENTICATION SYSTEM#####################
class blockedList(models.Model):
username = models.CharField(max_length=200, primary_key=True)
realIP = models.CharField(max_length=200)
IP = models.CharField(max_length=200)
dateTime = models.CharField(max_length=200)
tries = models.IntegerField()
violations = models.IntegerField()
lockedTemp = models.CharField(max_length=200)
class suspicousIP(models.Model):
IP = models.CharField(max_length=200, primary_key=True)
count = models.IntegerField()