Locking Users Out After Invalid Login Attempts: Django & a Cache

7 min readJul 12, 2018

What & Why

We’ve all done it. Forgotten our passwords and been locked out of an account. It’s irritating when it’s actually you, but it does serve a purpose — namely it will significantly slow down any malicious actors trying to use brute force attacks to access accounts on your system. So let’s jump in!

In order to do this we need to keep track of a few things. We’ll talk about the specifics of how we can store this information in the cache later, but for now, let’s assume we’re tracking this information:

The user’s invalid login attempts. We don’t need to keep track of all of them indefinitely, we only need to keep track of the ones that were made within the time range, up to the number of invalid attempts they’re allowed to make. To be more specific, if we lock a user out after 5 invalid login attempts within a 10 minute time period, we don’t need to keep track of more than 5 attempts, and we don’t need to keep track of invalid attempts that were more than 10 minutes ago.
When the user’s lockout started, if they’ve been locked out.

Pseudocode & the Logic Flow

Here are the things that could happen when a user hits the login view with a POST request, and what we should do (a fun flow chart + some words for folks who aren’t visual learners!):

If they’ve been locked out, make sure the timestamp of the lockout start is within the duration of the lockout.
If it’s not, delete their entry from the cache, they can start fresh
If their lockout timestamp is within the lockout duration time period, we don’t need to process their request at all — even if the credentials are correct, we’re not going to log them in, because they’re still locked out

If they’re not locked out:

Process the request — if their credentials are correct, log them in.
If they’re incorrect, check the cache to see if they’ve already got an entry. If they don’t have an entry, we’ll add one with the timestamp for now to their timestamp bucket

If they’ve entered invalid credentials and already have an entry in the cache:

Locking Users Out After Invalid Login Attempts: Django & a Cache

What & Why

Pseudocode & the Logic Flow

Written by Adrienne Domingus

More from Adrienne Domingus

Understanding Temp Files in Postgres

Databases can feel like black boxes that hum along perfectly until suddenly they don’t. And when bad things happen with databases…they’re…

Adding Custom Views and Templates to Django Admin

The Django admin feature is great for quickly spinning up basic CRUD actions without giving someone direct database access, but gives you…

An Introduction to the Advanced Encryption Standard (AES)

Encryption is a huge part of modern software engineering. This is true both of data within our own systems, but also encryption of data we…

Sending Notifications to a Django Application using WebSockets

I work on an existing Django application, and during a recent hack week, wanted to toy with the idea of adding user notifications. There…

Recommended from Medium

Advanced Customization of the Django Admin Panel.

This article will serve as your gateway to understanding and implementing advanced customization techniques.

Microservices in Python: Django, RabbitMQ and Pika

What are microservices?

Lists

Coding & Development

General Coding Knowledge

Tech & Tools

Stories to Help You Grow as a Software Developer

Exploring the Exciting New Features of Django 5.0

Django, the popular Python web framework, is all set to release its latest version, Django 5.0, in December 2023. With each new release…

Master Django ORM Advanced Concepts

Learn to write efficient and fast Django queries. These concepts will make you a better Django developer

My favorite coding question to give candidates

A coding question, from the viewpoint of an Google/Amazon/Microsoft interviewer

Multi-Database Configuration in Django: A Step-by-Step Guide

First step to scale your system out, increase performancing and increase availability.