Python Django-会话持续多长时间(如果用户关闭并重新打开浏览器)
我正在尝试设置用户可以尝试密码的次数。目前我想在会话中存储他/她可以尝试密码的次数和惩罚时间 问题是用户关闭浏览器或更改其他IP地址是否会影响会话 例如,如果用户有5分钟的惩罚时间,这可以通过两个datetime实例减法>5来完成,那么让用户重试5次。如果用户同时关闭并重新打开浏览器,会话是否会丢失 在用户登录之前进行检查:Python Django-会话持续多长时间(如果用户关闭并重新打开浏览器),python,django,session,Python,Django,Session,我正在尝试设置用户可以尝试密码的次数。目前我想在会话中存储他/她可以尝试密码的次数和惩罚时间 问题是用户关闭浏览器或更改其他IP地址是否会影响会话 例如,如果用户有5分钟的惩罚时间,这可以通过两个datetime实例减法>5来完成,那么让用户重试5次。如果用户同时关闭并重新打开浏览器,会话是否会丢失 在用户登录之前进行检查: ##############SESSION BASED################## #Initialize tries, to be used later on t
##############SESSION BASED##################
#Initialize tries, to be used later on
tries = "0"
try:
tries = request.session['tries']
except:
pass
#If tries > 5 times
if(int(tries) >= 5):
timeNow = request.session['locked_time']
timeDifferenceSeconds = (datetime.datetime.now() - datetime.datetime.strptime(timeNow, "%Y-%m-%d %H:%M:%S.%f")).total_seconds()
#See if the difference is greater than 15 minutes, otherwise lock
if(timeDifferenceSeconds > 900):
request.session['tries'] = str(0)
logger.info("User:" + str(username) + " is unlocked");
else:
logger.info("User:" + str(username) + " is currently locked");
logger.info("User:" + str(username) + " returning Locked");
return HttpResponse("Locked")
##############SESSION BASED##################
##############SESSION BASED##################
#if the user fails in providing the correct username/password, increment tries
try:
tries = request.session['tries']
num = int(tries)
num += 1
tries = str(num)
request.session['tries'] = str(tries)
except:
tries = 0
request.session['tries'] = str(tries)
#If tries > 5, then we will lock
if(int(tries) >= 5):
logger.info("User:" + str(username) + " is not valid, current tries:" + str(tries) + " and will be locked");
request.session['locked_time'] = str(datetime.datetime.now())
logger.info("User:" + str(username) + " returning Locked");
return HttpResponse("Locked")
else:
logger.info("User:" + str(username) + " is not valid, current tries:" + str(tries));
logger.info("User:" + str(username) + " returning Invalid");
return HttpResponse("Invalid")
##############SESSION BASED##################
class blockedList(models.Model):
username = models.CharField(max_length=200, primary_key=True)
realIP = models.CharField(max_length=200)
IP = models.CharField(max_length=200)
dateTime = models.CharField(max_length=200)
tries = models.IntegerField()
violations = models.IntegerField()
lockedTemp = models.CharField(max_length=200)
class suspicousIP(models.Model):
IP = models.CharField(max_length=200, primary_key=True)
count = models.IntegerField()
正如您在问题中所提到的,Django中的会话将一直有效,只要会话\u COOKIE\u AGE确定从上次访问该会话起的默认值为2周 有两个例外: 您可以自己设置会话的到期时间,然后视情况而定 在那上面。 浏览器关闭时的设置会话\u EXPIRE\u被手动设置为True。在这种情况下,每次用户关闭浏览器时,会话都会被清除 <>但是了解会话ID存储在客户端的Cookie中是非常重要的,因此用户很容易删除它的cookie,然后Django服务器会考虑这是一个新的会话。 实现所需功能的另一种方法是在用户上保存此数据,这意味着如果在几次错误尝试以用户身份登录后user@example.com,您可以在X分钟内将该用户名标记为禁止。您需要一个不同的数据库表来保存这些信息和您自己的逻辑。我目前还不知道有哪个应用程序能做到这一点,但快速搜索可能会证明我错了
这样,即使用户清除了会话,服务器也不允许用户登录。默认情况下,会话存储在客户端。用户可以在浏览器中删除会话清理cookies。另一种方法:谢谢你的回答。我认为我最好的办法是保存客户的IP,并禁止X分钟。此外,如果此违规行为发生超过Y次,在Z分钟内连续3次被禁止,则锁定帐户并发送解锁电子邮件。如果您担心有人试图入侵特定帐户,则他可以更改IP地址。所以我想这还不够。如果某人只是试图访问任何帐户,那么你需要一个IPS/IDS机制来检测这种行为,而这要复杂得多。我认为IDS目前是一种过激行为。在X尝试后,直到真正的用户转到他/她的邮件并单击解锁邮件,才永久锁定帐户难道不足够吗?想想看,由于用户一直被锁定,不断的攻击可能会非常恼人。我同意IPS/ID完全是杀伤力过大。但问题是,如果有人试图闯入某个帐户,仅标记客户端IP是不够的。黑客会找到一种方法轻松绕过它。我认为标记用户名是更好的方法
#See if the user's remember me is checked, if it is not checked, then
#the session cookie will automatically expire when the browser closes
if(rememberMe == "true"):
request.session.set_expiry(86400)
logger.info("User:" + str(username) + " has set their expiration to 1 day")
else:
request.session.set_expiry(0)
logger.info("User:" + str(username) + " has set their expiration to expire when browser closes")
#See if the user is marked in blockedList, if true, then delete their row
try:
userObject = blockedList.objects.get(pk=username)
userObject.delete()
logger.info("User:" + str(username) + " is in blockedList, removing their entry")
except:
logger.info("User:" + str(username) + " is NOT in blockedList")
pass
#See if the user's real IP is marked in suspicious IP, if true, then remove their entry
try:
suspiciousIP = suspicousIP.objects.get(pk=realIP)
suspiciousIP.delete()
logger.info("User:" + str(username) + " is in suspicious real IP, removing their entry")
except:
pass
#See if the user's IP is marked in suspicious IP, if true, then remove their entry
try:
suspiciousIP = suspicousIP.objects.get(pk=IP)
suspiciousIP.delete()
logger.info("User:" + str(username) + " is in suspicious IP, removing their entry")
except:
pass
##############USER BASED AUTHENTICATION SYSTEM#####################
try:
#Get their current object, if exists, and increase their tries
userObject = blockedList.objects.get(pk=username)
userObject.tries += 1
#If their tries >= 5, then lock them temporary, and increase violation
if(userObject.tries >= 5):
logger.info("User:" + str(username) + " is not valid, current tries:" + str(userObject.tries) + " and will be locked");
userObject.violation += 1
userObject.dateTime = str(dateTime.dateTime.now())
#If violation >= 5, then we will tempLock, and can only be unlocked by email
if(userObject.violation >= 5):
logger.info("User:" + str(username) + " is not valid, will get TempLocked");
userObject.lockedTemp = "True"
userObject.save()
#Get their suspicious Real IPs, and increase them, or make a new one
try:
suspiciousIP = suspicousIP.objects.get(pk=realIP)
suspiciousIP.count += 1
suspiciousIP.save()
logger.info("User:" + str(username) + " has a suspeciousIP:" + str(suspiciousIP) + " current count:" + str(suspiciousIP.count));
except:
if realIP is not None:
newSuspiciousIP = suspicousIP(IP = realIP)
newSuspiciousIP.save()
logger.info("User:" + str(username) + " has a new suspeciousIP:" + str(realIP));
#Get their suspicious IPs, and increase them, or make a new one
try:
suspiciousIP = suspicousIP.objects.get(pk=IP)
suspiciousIP.count += 1
suspiciousIP.save()
logger.info("User:" + str(username) + " has a suspeciousIP:" + str(suspiciousIP) + " current count:" + str(suspiciousIP.count));
except:
if IP is not None:
newSuspiciousIP = suspicousIP(IP = IP)
newSuspiciousIP.save()
logger.info("User:" + str(username) + " has a new suspeciousIP:" + str(IP));
logger.info("User:" + str(username) + " returning tempLock");
logger.info("User:" + str(username) + " returning tempLock");
return HttpResponse("tempLock")
userObject.save()
logger.info("User:" + str(username) + " returning Locked");
return HttpResponse("Locked")
except:
newUsername = username
newRealIP = realIP
newIP = IP
newDateTime = ""
newTries = 1
newViolations = 0
newLockedTemp = "False"
newUserObject = blockedList(username=newUsername, realIP=newRealIP, IP = newIP,
dateTime = newDateTime, tries = newTries, violations = newViolations,
lockedTemp = newLockedTemp)
newUserObject.save()
logger.info("User:" + str(username) + " returning Invalid");
return HttpResponse("Invalid")
##############USER BASED AUTHENTICATION SYSTEM#####################
class blockedList(models.Model):
username = models.CharField(max_length=200, primary_key=True)
realIP = models.CharField(max_length=200)
IP = models.CharField(max_length=200)
dateTime = models.CharField(max_length=200)
tries = models.IntegerField()
violations = models.IntegerField()
lockedTemp = models.CharField(max_length=200)
class suspicousIP(models.Model):
IP = models.CharField(max_length=200, primary_key=True)
count = models.IntegerField()