Django auth：如果他的IP与原始IP不匹配（他登录的IP）不符合用户会话， [英] Django auth: How to disallow user session if his IP doesn't match the original one(the one he logged in with)

问题描述

如果用户的IP不是与他登录的IP不一样，那么如何配置或修改认证来禁止用户会话？
我尽量保护我的Django站点免受XSS的影响。但我从来不能确定我涵盖了所有的基础。如果最糟糕的情况是最糟糕的情况，有人可以在我的网站上放置一些XSS，至少这可能会阻止他劫持现有的用户会话。

解决方案

在您的用户模型类中，创建一个存储请求的IP地址的IP字段。

original_ip_address = request.META [ 'REMOTE_ADDR']

然后在提供视图之前，只需使用存储的ip检查当前请求：

 如果request.META ['REMOTE_ADDR'] == ip_from_database：`
＃做某事
 else：
 #redirect登录
  

您可以使上述功能始终在视图中的其他任何内容之前调用。 >

How can auth can be configured or modified to disallow user sessions if the user's IP is not the same IP that he logged in with ? I really try to protect my Django site from XSS as much as I can. But I never can be sure that I covered all the bases. If worst comes to worst and someone is able to put some XSS in my site, at least this could prevent him from hijacking existing user sessions..

解决方案

In your User model class create an IP field that stores the IP address of the request.

original_ip_address = request.META['REMOTE_ADDR']

then before serving a view simply check the current request with the stored ip:

if request.META['REMOTE_ADDR'] == ip_from_database: `
# Do something
else:
 #redirect to login

you can make the above a function that is always called before anything else in a view.

这篇关于Django auth：如果他的IP与原始IP不匹配（他登录的IP）不符合用户会话，的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！