=============================
django-restricted-sessions
=============================
.. image:: https://badge.fury.io/py/django-restricted-sessions.png
:target: http://badge.fury.io/py/django-restricted-sessions
.. image:: https://travis-ci.org/mxsasha/django-restricted-sessions.png?branch=master
:target: https://travis-ci.org/mxsasha/django-restricted-sessions
.. image:: https://coveralls.io/repos/mxsasha/django-restricted-sessions/badge.png?branch=master&
:target: https://coveralls.io/r/mxsasha/django-restricted-sessions?branch=master
Restricts Django sessions to IP and/or user agent.
If the IP or user agent changes after creating the session, the a 400 response is given to the request, the session is
flushed (all session data deleted, new session created) and a warning is logged. The goal of this middleware is to
make it harder for an attacker to use a session ID they obtained. It does not make abuse of session IDs impossible.
For compatibility with IPv6 privacy extensions, by default only the first 64 bits of an IPv6 address are checked.
Documentation
-------------
The full documentation is at https://django-restricted-sessions.readthedocs.org.
Quickstart
----------
Install django-restricted-sessions::
pip install django-restricted-sessions
Then add it to your middleware after SessionMiddleware::
MIDDLEWARE = [
"django.middleware.security.SecurityMiddleware",
"django.contrib.sessions.middleware.SessionMiddleware",
'restrictedsessions.middleware.RestrictedSessionsMiddleware',
....
]
If you use ``RESTRICTEDSESSIONS_AUTHED_ONLY``, ensure this middleware is added after
``AuthenticationMiddleware`` so that the ``request.user`` is present.
History
-------
0.4.0 (2023-06-02)
++++++++++++++++++
* Updated Django support to only 3.2, 4.1 and 4.2 (thanks to @ronnievdc).
* Various other cleanups and documentation format fixes.
0.3.0 (2019-12-03)
++++++++++++++++++
* Updated Django support to 1.11, 2.2 and 3.0.
* Fixed issues when ``X_FORWARDED_FOR`` contains multiple addresses.
0.2.0 (2017-04-06)
++++++++++++++++++
* For Django 1.10+ support, changed from `object` to `django.utils.deprecation.MiddlewareMixin`
* Added PyPI trove classifiers for Django versions and more Python versions
* Updated `travis.yml` for more Python versions
0.1.4 (2016-07-02)
++++++++++++++++++
* Fixed an exception that could occur when non-utf8 bytes were included
in user agent strings.
0.1.3.1 (2016-05-26)
++++++++++++++++++++
* Version bump to avoid PyPI's duplicate filename ban.
0.1.3 (2016-05-26)
++++++++++++++++++
* Added support to redirect to known view, or use custom status code settings.
* Added support for ignoring unauthenticated sessions.
* Fixed short circuit when REMOTE_ADDR was unknown.
* Dropped support for older Python versions: now requires 2.7, 3.3 or newer,
with Django 1.8.
0.1.2 (2014-03-20)
++++++++++++++++++
* Resolved exception being raised when session switches from IPv4 to IPv6
* Python 3.4 support
0.1.1 (2014-02-18)
++++++++++++++++++
* Added missing netaddr requirement to setup.py.
0.1.0 (2014-02-17)
++++++++++++++++++
* First release on PyPI.
Raw data
{
"_id": null,
"home_page": "https://github.com/mxsasha/django-restricted-sessions",
"name": "django-restricted-sessions",
"maintainer": "",
"docs_url": null,
"requires_python": "",
"maintainer_email": "",
"keywords": "django-restricted-sessions",
"author": "django-restricted-sessions",
"author_email": "github@mxsasha.eu",
"download_url": "https://files.pythonhosted.org/packages/09/44/21196486c19ab5828a0dbc63db988de5fd9a2e20be7d96b912b0c5bd0228/django-restricted-sessions-0.4.0.tar.gz",
"platform": null,
"description": "=============================\ndjango-restricted-sessions\n=============================\n\n.. image:: https://badge.fury.io/py/django-restricted-sessions.png\n :target: http://badge.fury.io/py/django-restricted-sessions\n\n.. image:: https://travis-ci.org/mxsasha/django-restricted-sessions.png?branch=master\n :target: https://travis-ci.org/mxsasha/django-restricted-sessions\n\n.. image:: https://coveralls.io/repos/mxsasha/django-restricted-sessions/badge.png?branch=master&\n :target: https://coveralls.io/r/mxsasha/django-restricted-sessions?branch=master\n\nRestricts Django sessions to IP and/or user agent.\n\nIf the IP or user agent changes after creating the session, the a 400 response is given to the request, the session is\nflushed (all session data deleted, new session created) and a warning is logged. The goal of this middleware is to\nmake it harder for an attacker to use a session ID they obtained. It does not make abuse of session IDs impossible.\n\nFor compatibility with IPv6 privacy extensions, by default only the first 64 bits of an IPv6 address are checked.\n\nDocumentation\n-------------\n\nThe full documentation is at https://django-restricted-sessions.readthedocs.org.\n\nQuickstart\n----------\n\nInstall django-restricted-sessions::\n\n pip install django-restricted-sessions\n\nThen add it to your middleware after SessionMiddleware::\n\n MIDDLEWARE = [\n \"django.middleware.security.SecurityMiddleware\",\n \"django.contrib.sessions.middleware.SessionMiddleware\",\n 'restrictedsessions.middleware.RestrictedSessionsMiddleware',\n ....\n ]\n\nIf you use ``RESTRICTEDSESSIONS_AUTHED_ONLY``, ensure this middleware is added after\n``AuthenticationMiddleware`` so that the ``request.user`` is present.\n\n\n\n\nHistory\n-------\n\n0.4.0 (2023-06-02)\n++++++++++++++++++\n\n* Updated Django support to only 3.2, 4.1 and 4.2 (thanks to @ronnievdc).\n* Various other cleanups and documentation format fixes.\n\n0.3.0 (2019-12-03)\n++++++++++++++++++\n\n* Updated Django support to 1.11, 2.2 and 3.0.\n* Fixed issues when ``X_FORWARDED_FOR`` contains multiple addresses.\n\n0.2.0 (2017-04-06)\n++++++++++++++++++\n\n* For Django 1.10+ support, changed from `object` to `django.utils.deprecation.MiddlewareMixin`\n* Added PyPI trove classifiers for Django versions and more Python versions\n* Updated `travis.yml` for more Python versions\n\n0.1.4 (2016-07-02)\n++++++++++++++++++\n\n* Fixed an exception that could occur when non-utf8 bytes were included\n in user agent strings.\n\n0.1.3.1 (2016-05-26)\n++++++++++++++++++++\n\n* Version bump to avoid PyPI's duplicate filename ban.\n\n0.1.3 (2016-05-26)\n++++++++++++++++++\n\n* Added support to redirect to known view, or use custom status code settings.\n* Added support for ignoring unauthenticated sessions.\n* Fixed short circuit when REMOTE_ADDR was unknown.\n* Dropped support for older Python versions: now requires 2.7, 3.3 or newer,\n with Django 1.8.\n\n0.1.2 (2014-03-20)\n++++++++++++++++++\n\n* Resolved exception being raised when session switches from IPv4 to IPv6\n* Python 3.4 support\n\n0.1.1 (2014-02-18)\n++++++++++++++++++\n\n* Added missing netaddr requirement to setup.py.\n\n0.1.0 (2014-02-17)\n++++++++++++++++++\n\n* First release on PyPI.\n",
"bugtrack_url": null,
"license": "BSD",
"summary": "Restrict Django sessions to IP and/or user agent.",
"version": "0.4.0",
"project_urls": {
"Homepage": "https://github.com/mxsasha/django-restricted-sessions"
},
"split_keywords": [
"django-restricted-sessions"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "aa720b0bef9d8142d06c897a30b0a13ab4c9b81aec9500442e2dbff71602e865",
"md5": "c40e6dbd32229d73afa527cce279ce39",
"sha256": "082896f39d58524bc438b137d58eaa32faef4b264e99f2ea1f983761d4da2713"
},
"downloads": -1,
"filename": "django_restricted_sessions-0.4.0-py2.py3-none-any.whl",
"has_sig": false,
"md5_digest": "c40e6dbd32229d73afa527cce279ce39",
"packagetype": "bdist_wheel",
"python_version": "py2.py3",
"requires_python": null,
"size": 5868,
"upload_time": "2023-06-02T11:14:20",
"upload_time_iso_8601": "2023-06-02T11:14:20.020010Z",
"url": "https://files.pythonhosted.org/packages/aa/72/0b0bef9d8142d06c897a30b0a13ab4c9b81aec9500442e2dbff71602e865/django_restricted_sessions-0.4.0-py2.py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "094421196486c19ab5828a0dbc63db988de5fd9a2e20be7d96b912b0c5bd0228",
"md5": "9e1d7e1bbe057a12664cde89f37fefb3",
"sha256": "23a6f179b1a2a2ded03a826de6530f72bf46c7c00f5abc698e9673c5227a316b"
},
"downloads": -1,
"filename": "django-restricted-sessions-0.4.0.tar.gz",
"has_sig": false,
"md5_digest": "9e1d7e1bbe057a12664cde89f37fefb3",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 8489,
"upload_time": "2023-06-02T11:14:21",
"upload_time_iso_8601": "2023-06-02T11:14:21.593909Z",
"url": "https://files.pythonhosted.org/packages/09/44/21196486c19ab5828a0dbc63db988de5fd9a2e20be7d96b912b0c5bd0228/django-restricted-sessions-0.4.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-06-02 11:14:21",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "mxsasha",
"github_project": "django-restricted-sessions",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [],
"lcname": "django-restricted-sessions"
}
JSON
