Limit Login Attempts
A snippet showing how to lock accounts temporarily after too many failed logins.
# views.py
from django.contrib.auth import authenticate, login
from django.shortcuts import render, redirect
from django.contrib import messages
def login_view(request):
MAX_ATTEMPTS = 5
key = f'login_attempts_{request.META.get("REMOTE_ADDR")}'
attempts = request.session.get(key, 0)
if request.method == 'POST':
if attempts >= MAX_ATTEMPTS:
messages.error(request, 'Too many failed attempts. Try again later.')
return render(request, 'login.html')
username = request.POST.get('username')
password = request.POST.get('password')
user = authenticate(request, username=username, password=password)
if user is not None:
login(request, user)
request.session[key] = 0
return redirect('home')
else:
request.session[key] = attempts + 1
messages.error(request, 'Invalid credentials')
return render(request, 'login.html')
# templates/login.html
<h2>Login</h2>
<form method="POST">
{% csrf_token %}
<input type="text" name="username" placeholder="Username">
<input type="password" name="password" placeholder="Password">
<button type="submit">Login</button>
</form>
{% if messages %}
{% for message in messages %}
<p>{{ message }}</p>
{% endfor %}
{% endif %}
Explanation:
- We track failed login attempts using the user's IP address and store it in the session.
- If the number of attempts exceeds the max limit (e.g. 5), login is blocked temporarily.
- After a successful login, the attempt count is reset to 0 for that session/IP.
-
This is a simple method. For advanced protection, consider using packages like
django-axes.
- Category Authentication & Authorization
- Total Views 589
- Last Modified 01 January, 2026
- Tags #login #security #auth #sessions
Previous snippet
Remember Me (Persistent Sessions)
Next snippet