Location identification with login

[tristant]

Is there a mechanism in Django where we can identify the location of login? Any reading sources regarding this functionality would be much appreciated.

Along the same line, is there a way to prevent a login attempt if the location is within certain blacklisted IP subnets?

Thanks,

[David Nugent]

Yes, that is certainly possible, although there is nothing built into Django itself.

Web servers (and proxies) both pass the IP address of the remote user, which can be recorded at login together with reference to the account. Using GeoIP you can associate this more or less reliably to a location, or at least a country.  Check out the django-geoip module on pipit.org to start (and there are others)

The general approach to tracking website visitiors uses this technique and is quite a useful metric. WRT logins it can be even more useful to track where a user signed up and where they typically log in from. This can trigger, e.g. email verification when a user logs in from an unexpected address.

Blacklisting by source IP though, I would argue is the job more suited to a reverse proxy, tcpwrappers or a firewall like Linux iptables.

Regards,

David

------ Original Message ------

From "tristant" <tran.tr...@gmail.com>

To "Django users" <django...@googlegroups.com>

Date 12/26/2022 6:52:13 AM

Subject Location identification with login

[Kasper Laudrup]

On 25/12/2022 20.52, tristant wrote:
> Is there a mechanism in Django where we can identify the location of
> login? Any reading sources regarding this functionality would be much
> appreciated.
>

What you're looking for is something called geoip. To the best of my
knowledge there's no such thing build into Django (wouldn't really make
much sense anyway) but it should be trivial to query some geoip database
from your code and get a somewhat reliable idea on where that IP is
coming from.

There's no way that can be accurate but it might be useful for something
like detecting a locale (that the user can then change) or similar.

> Along the same line, is there a way to prevent a login attempt if the
> location is within certain blacklisted IP subnets?
>

It is trivial to spoof a source IP address once you reach the Django
application part of the communication. That's more of a feature than a
bug actually because of things like proxies etc.

If you want to blacklist IPs you have to do that on a lower level. For a
single server running Linux something like netfilter/iptables might be
used but I'm sure there are some more convenient scripts/services etc.
that might be used. The main point is that you cannot do this from your
Django code.

Hope that helps you in the right direction.

Kind regards,
Kasper Laudrup

[Yeboah Dominic]

This can be done GeoIP but it can be done in a different way I have done one before that was with REST API, all you have to do if you don't want to depend on any third library is to have a device model which stores the user and IP then whenever the user login saves it.

So with this, you have all the user's IPs so when they log in again then you compare their previous IPs with the current if different you can send a warning mail or you just send an OTP to verify before logging in.

What I did was for one company I worked with so I can share the code I am sorry for that.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/e83a7b85-6fd3-ced8-b4bf-fdf77650cfe8%40stacktrace.dk.

[tristant]

Appreciate everyone's pointers!

Cheers,