问题
I created a site with django. Users should be able to login. The login-view looks like this:
from django.contrib.auth import authenticate, login
from django.contrib.auth.models import User
....
if request.method == 'POST':
username = request.POST['username']#get username
password = request.POST['txtPwd']# and password
user = authenticate(username=username, password=password) #checking username and pwd
if user is not None:
if user.is_active:
login(request, user)
But with this "solution" i can't handle an brute force attack. So I looked around and found this: Throttling brute force login attacks in Django
The first answer was helpful. I choosed django-axes because django-ratelimit count only the amout of calling a view.
But here is my problem: When i try to login with wrong password it doesn't count the failure. (Only at the /admin-section).
I found no option to "add" my login-view to django-axes.
So here is my question:
How can I configure django-axes to handle the failed logins from my login-view?
EDIT: Here is my settings-file:
INSTALLED_APPS = (
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'axes',
)
MIDDLEWARE_CLASSES = (
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'axes.middleware.FailedLoginMiddleware'
)
...
AXES_LOCK_OUT_AT_FAILURE = False
AXES_USE_USER_AGENT = True
AXES_COOLOFF_TIME = 1
AXES_LOGIN_FAILURE_LIMIT = 50
回答1:
By default django-axes
used django's login view *(django.contrib.auth.views.login
). In middleware this view decorate with watch_login
.
So you can solve your issue in two ways:
- use standard login view. In this way
django-axes
does not require additional setup. - decorate your's login view with
watch_login
decorator.
For example: views.py
from axes.decorators import watch_login
...
@watch_login
def your_custom_login_view(request):
...
It will then be used like this in class based view as mentioned by @Ali Faizan:
@method_decorator(watch_login, name='dispatch')
class your_custom_login_view():
...
来源:https://stackoverflow.com/questions/25760023/django-login-with-django-axes