如何检测从不同位置多次登录 Django Web 应用程序?
我想一次只允许一个经过身份验证的会话在我的 Django 应用程序中进行单独登录。 因此,如果用户在给定的 IP 地址上登录网页,并且使用相同的用户凭据从不同的 IP 地址登录,我想做一些事情(注销第一个用户或拒绝第二个用户的访问。)
I want to only allow one authenticated session at a time for an individual login in my Django application. So if a user is logged into the webpage on a given IP address, and those same user credentials are used to login from a different IP address I want to do something (either logout the first user or deny access to the second user.)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
不确定这是否仍然需要,但我想我会分享我的解决方案:
1)安装 django-tracking(谢谢你的提示 Van Gale Google Maps + GeoIP 太棒了!)
2)添加这个中间件:
3)确保它在VisitorTrackingMiddleware,您应该会发现当有人新登录时,以前的登录会自动被撞到:)
Not sure if this is still needed but thought I would share my solution:
1) Install django-tracking (thankyou for that tip Van Gale Google Maps + GeoIP is amazing!)
2) Add this middleware:
3) Make sure it goes after the VisitorTrackingMiddleware and you should find previous logins are automatically bumped when someone new logs in :)
如果您已经按照此处的建议使用 django-tracking,则有一种更简单的方法来实现此目的:
定义信号处理程序:
为 user_logged_in 信号创建侦听器:
这将建立一种“最后登录的用户获胜”系统。 如果您希望允许同一用户从同一 IP 多次登录,您可以将
.exclude()
添加到Visitors
查找中。If you're already using django-tracking as suggested here, there's a much easier way to implement this:
Define a signal handler:
Create a listener for the user_logged_in signal:
This will institute a sort of "last user to login wins" system. If you want to allow multiple logins by the same user from the same ip, you can add an
.exclude()
to theVisitors
lookup.Django 的 中间件 可能会帮助你实现这一点。 问题是您可能希望允许来自同一 IP 地址的多个匿名会话,甚至是不同用户的经过身份验证的会话,但不允许同一用户的经过身份验证的会话。
您需要:
创建用户配置文件模型来存储用户上次登录的 IP 地址。 请参阅 Django 的存储有关用户的其他信息 文档。
实现自定义身份验证后端 。 当触发并成功验证用户身份(只需调用 super)时,此后端将清除配置文件模型中用户的最后登录 IP。
实现 Django 的
django.contrib.sessions.SessionMiddleware
类的子类。 实施process_request
。 如果request.user
对象的配置文件模型没有 IP 地址,请设置它并允许该请求。 如果它有一个 IP,并且该 IP 与当前请求的 IP (request.META.REMOTE_ADDR
) 不同,则执行您喜欢的任何操作,要么注销其他用户,要么向请求者。更新您的
settings.py
文件,以便首先处理您的自定义身份验证后端,并且也首先处理您的自定义会话中间件。 这涉及更新settings.AUTHENTICATION_BACKENDS
和settings.MIDDLEWARE_CLASSES
。Django's middleware will probably help you achieve this. The issue is that you will probably want to allow multiple anonymous sessions from the same IP address, even authenticated sessions for different users, but not authenticated sessions for the same user.
You'll want to:
Create a user profile model to store the IP address of a user's last login. See Django's Storing additional information about users documentation.
Implement a custom authentication backend. This backend, when triggered and successfully authenticating a user (just call super) would wipe out the user's last login IP in the profile model.
Implement a subclass of Django's
django.contrib.sessions.SessionMiddleware
class. Implementprocess_request
. If therequest.user
object's profile model has no IP address, set it and allow the request. If it has an IP, and the IP is different from the current request's IP (request.META.REMOTE_ADDR
), then do whatever you like to either log out the other user, or return an error to the requestor.Update your
settings.py
file so that your custom auth backend is processed first, and so that your custom session middleware is also processed first. This involves updatingsettings.AUTHENTICATION_BACKENDS
andsettings.MIDDLEWARE_CLASSES
.您需要使用自定义中间件来完成此操作。
在您的中间件
process_request()
方法中,您将有权访问请求对象,因此您可以执行如下操作:现在您知道了 IP 地址,因此请检查您创建的模型(大致)会是什么样子像这样:
因此,当创建或删除会话时,您将相应地修改会话 ip 表,并且当请求传入时,请确保该 IP 地址没有被其他会话使用。 如果是,则从中间件返回 Http404(或类似的内容)。
可以向您显示更多详细信息(甚至在其自己的模型中包含 IP 地址)的可插入应用程序是 django 跟踪。
You'll need to do this with custom middleware.
In your middleware
process_request()
method you will have access to the request object so you can do something like the following:Now you know the IP address, so check a model you create that (roughly) would look like this:
So when a session is created or deleted you will modifiy your session ip's table accordingly, and when a request comes in make sure the IP address isn't being used for another session. If if is, then return a Http404 (or something like it) from the middleware.
A pluggable app that can show you a lot more detail (and even includes IP address in its own model) is django-tracking.