Question

I m in a bit of a dilemma at the moment regarding Django s admin backend. The default authentication system allows already logged-in users that have staff privileges to access the admin site, however it just lets them straight in.

This doesn t feel “right” to me, and I m wondering if it would be difficult to at least require a re-authentication of that same session in order to get into the backend.

Preferably though, it d be good if the frontend sessions could be separated from the backend ones (though still using the same user objects), this would allow a clean separation of both parts of the site. Would this perhaps require two separate authentication backends? Would something like this be difficult to achieve?

Answer 1

Here s an idea: run the admin app on a different domain to the frontend. The cookies won t be valid in the other domain, so the user will have to log in again. All you d need would be a separate Apache vhost and a basic settings.py that just has contrib.admin in INSTALLED_APPS.

Answer 2

You could probably implement a middleware that asks for authentication when accessing the admin site from a referer not in the admin site. It could log the person out and make them log back in, but even that wouldn t be necessary. Just require another password entry, and redirect them if it fails. It might involve setting a session variable, is_admin_authenticated or something.

友情链接