On Sun, Jan 15, 2012 at 7:06 AM, Darren Spruell <phatbuck...@gmail.com> wrote: > Greetings, > > As an enhancement to the existing collection of signals I wanted to > propose the addition of a signal for the event of an unsuccessful > login. Currently django.contrib.auth supports user_logged_in and > user_logged_out for successful events. Addition of e.g. > user_failed_login would allow this event to be handled. I'm interested > in logging this as a security event for the application. I've seen > past discussions on the topic of implementing protection against > password guessing attacks. It seems to me that at least having the > signal available would then give some basis for developers to flexibly > implement customized approaches for handling and responding to login > failures. > > I've been advised that I can reach some form of similar functionality > by subclassing the auth backend. Does the new signal approach have > merit?
To me subclassing the auth backend is nicer than a signal, more explicit. Furthermore, adding a signal to the default backend would provide very limited information about the attacker since ModelBackend only "knows" the username/password combination. In the context of a brute-force attack it's not enough, since you need to take action against a specific *attacker* without blocking the whole user account and legitimate login attempts. To adress this issue (apologies for the plug) I wrote django-ratelimit-backend [0], which is basically a request-aware authentication backend and a bunch of helpers for login forms, login views and the admin. I wouldn't mind seeing it added to Django itself but this topic has been discussed several times before, with the conclusion that solutions and use cases are often too specific, hence a generic solution would be hard to add to Django core. Regards, Bruno [0] https://github.com/brutasse/django-ratelimit-backend -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
