Skip to content

Commit 1103c3b

Browse files
mjnaderimjnaderi
committed
Remove django-ipware
to reduce the risk of IP spoofing
1 parent a03debb commit 1103c3b

File tree

3 files changed

+15
-13
lines changed

3 files changed

+15
-13
lines changed

CHANGELOG.md

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,15 @@
11
# Unreleased
22

3-
- Add support for Python 3.13.
3+
- Add support for Python 3.13.
4+
- Remove **django-ipware** dependency to reduce the risk of IP spoofing.
5+
(for the same reason Django
6+
[removed](https://docs.djangoproject.com/en/5.2/releases/1.1/#removed-setremoteaddrfromforwardedfor-middleware)
7+
`SetRemoteAddrFromForwardedFor` in 1.1).
8+
The IP is now extracted directly from the `REMOTE_ADDR` header.
9+
Instead of relying on **django-ipware**
10+
to extract the IP address from the request,
11+
you should configure your web server
12+
to pass the real IP address in the `REMOTE_ADDR` header.
413

514
# 1.1.5 (Jun 22, 2024)
615

README.md

Lines changed: 4 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -209,18 +209,11 @@ Admin page:
209209
### Caveats
210210
211211
- `session.updated_at` is not the session's exact last activity. It's
212-
updated each time the session object in DB is saved. (e.g. when user
212+
updated each time the session object is saved in DB. (e.g. when user
213213
logs in, or when ip, user agent, or session data changes)
214-
215-
## Why not `django-user-sessions`?
216-
217-
[django-user-sessions](https://github.com/Bouke/django-user-sessions)
218-
has the same functionality, but only extends the `db` backend. Using a
219-
cache can improve performance.
220-
221-
We got ideas and some codes from django-user-sessions. Many thanks to
222-
[Bouke Haarsma](https://github.com/Bouke) for writing
223-
django-user-sessions.
214+
- **django-qsessions** extracts IP directly from the `REMOTE_ADDR` header.
215+
If you are using a reverse proxy, you need to configure it to pass the
216+
real IP address in the `REMOTE_ADDR` header.
224217
225218
## Development
226219

setup.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@
2828
license="MIT",
2929
packages=find_packages(".", include=("qsessions", "qsessions.*")),
3030
include_package_data=True,
31-
install_requires=["Django >= 3.2, != 4.1.0", "user-agents>=1.1.0", "django-ipware>=2.0.0"],
31+
install_requires=["Django >= 4.2", "user-agents>=1.1.0"],
3232
extras_require={"dev": dev_requirements},
3333
tests_require=dev_requirements,
3434
classifiers=[

0 commit comments

Comments
 (0)