5đź‘Ť
Logged in twice is ambiguous over HTTP. There’s no “disconnecting” signal that’s sent. You can frustrate people if you’re not careful.
If I shut down my browser and drop the cookies — accidentally — I might be prevented from logging in again.
How would the server know it was me trying to re-login vs. me trying to login twice?
You can try things like checking the IP address. And what if the accidental disconnect was my router crashing, releasing my DHCP lease? Now I’m trying to re-login, but I have a new address and no established cookie. I’m not trying to create a second session, I’m just trying to get back on after my current session got disconnected.
the point is that there’s no well-established rule for “single session” that can be installed in a framework. You have to make up a rule appropriate to your application and figure out how to enforce it.
4đź‘Ť
A site I did last year was concerned that usernames/passwords might be posted to a forum. I dealt with this by adding a model and a check to the login view that looked at how many unique IPs the name had been used from in the last X hours. I gave the site admins two values in settings.py to adjust the number of hours and the number of unique IPs. If a name was being "overused" it was blocked for logins from new IPs until enough time had passed to fall below the threshold.
Much to their surprise, they have had only one name trigger the blocking in the last year and that turned out to be the company president who was on a business trip and kept logging in from new locations.
- [Django]-Django REST Framework's APIClient sends None as 'None'
- [Django]-What is a good way to get the dynamic title of a page in Django?
- [Django]-Django admin ignores has_delete_permission
- [Django]-Fake subfunction in django UnitTest Case (Mocking)