Limit Login Attempts

A snippet showing how to lock accounts temporarily after too many failed logins.


# views.py

from django.contrib.auth import authenticate, login
from django.shortcuts import render, redirect
from django.contrib import messages

def login_view(request):
    MAX_ATTEMPTS = 5
    key = f'login_attempts_{request.META.get("REMOTE_ADDR")}'
    attempts = request.session.get(key, 0)

    if request.method == 'POST':
        if attempts >= MAX_ATTEMPTS:
            messages.error(request, 'Too many failed attempts. Try again later.')
            return render(request, 'login.html')

        username = request.POST.get('username')
        password = request.POST.get('password')
        user = authenticate(request, username=username, password=password)

        if user is not None:
            login(request, user)
            request.session[key] = 0
            return redirect('home')
        else:
            request.session[key] = attempts + 1
            messages.error(request, 'Invalid credentials')

    return render(request, 'login.html')
  

# templates/login.html

<h2>Login</h2>
<form method="POST">
  {% csrf_token %}
  <input type="text" name="username" placeholder="Username">
  <input type="password" name="password" placeholder="Password">
  <button type="submit">Login</button>
</form>

{% if messages %}
  {% for message in messages %}
    <p>{{ message }}</p>
  {% endfor %}
{% endif %}
  
Explanation:
  • We track failed login attempts using the user's IP address and store it in the session.
  • If the number of attempts exceeds the max limit (e.g. 5), login is blocked temporarily.
  • After a successful login, the attempt count is reset to 0 for that session/IP.
  • This is a simple method. For advanced protection, consider using packages like django-axes.
Never miss a story on Django.wiki

Subscribe for fresh tutorials, snippets, and updates.

By subscribing you agree to our Privacy Policy.