Defense-Grade Session Middleware

SESSION HARDENING.

/// NIST_SP_800_53_ALIGNED Fingerprint binding, audit logging, and hookable gates. Three drop-in middleware classes that harden your Django session layer.

EXPLORE ARCHITECTURE INSTALLATION

ALIGNED WITH

NIST AC-12 NIST SC-23 NIST AU-3 OWASP DJANGO 4.2+ PYTHON 3.10+

Three Drop-In Middleware

Each class solves a distinct security problem. Use one, two, or all three — they compose cleanly.

SessionSecurity

Binds sessions to device fingerprints, enforces absolute and idle timeouts, and detects mid-session claim drift.

  • IP + User-Agent fingerprint binding
  • 8h absolute / 30min idle timeouts
  • JWT claim drift detection
  • Customizable exempt paths

AuditMiddleware

Privacy-preserving security audit trail for every authenticated request. Structured logging without PII leakage.

  • Per-request audit events
  • Customizable identity extraction
  • NIST AU-3 / AU-12 aligned
  • Hookable via method overrides

GateMiddleware

Base class for building cacheable conditional gates — compliance checks, onboarding flows, feature flags.

  • Cacheable gate results
  • Configurable fail-open / fail-closed
  • Custom check + on_reject hooks
  • Composable with other middleware

SECURITY CAPABILITIES.

Production-ready session hardening aligned with industry security frameworks.

Fingerprint Binding

Sessions are bound to the client's IP address and User-Agent. Any change invalidates the session immediately.

  • IP address binding (configurable)
  • User-Agent binding (configurable)
  • Trusted proxy depth support

Timeout Enforcement

Dual timeout strategy — absolute limit prevents stale sessions, idle limit catches abandoned ones.

  • 8-hour absolute timeout (default)
  • 30-minute idle timeout (default)
  • NIST AC-12 compliant

Claim Drift Detection

Detects when JWT claims change mid-session — catches privilege escalation and token manipulation.

  • Monitors critical claims per request
  • Customizable claim selection
  • Session Authenticity (NIST SC-23)

Audit Trail

Privacy-preserving structured logs for every authenticated request. No PII leakage by default.

  • Structured JSON audit events
  • Exempt path filtering
  • NIST AU-3/AU-12 aligned

Designed for Hookability

Every middleware class is designed to be subclassed. Override the methods you need, keep the defaults for everything else.

Custom Claim Selection

Override `get_critical_claims()` to define which Auth0/OIDC claims trigger drift detection.

Custom Login URLs

Override `get_login_url()` for platform-specific login flows — multi-tenant ready out of the box.

Gate Pattern

Build compliance gates, onboarding flows, or feature flags by subclassing `GateMiddleware` with a single `check()` method.

middleware/compliance.py
from session_armor import GateMiddleware
from django.shortcuts import redirect

class ComplianceGate(GateMiddleware):
    gate_id = 'compliance'
    cache_ttl_setting = 'COMPLIANCE_CACHE_TTL'
    default_cache_ttl = 3600
    fail_open = False

    def check(self, request) -> bool:
        return user_accepted_terms(request)

    def on_reject(self, request):
        return redirect('/accept-terms/')

INTEGRATION

1 Install the package

$ pip install SessionArmor

2 Add middleware to settings.py 

# settings.py

MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    # ... your auth middleware ...
    'session_armor.session.SessionSecurityMiddleware',
    'session_armor.audit.AuditMiddleware',
    # ... rest of your middleware ...
]

# Optional settings (shown with defaults)
SESSION_ABSOLUTE_TIMEOUT = 28800      # 8 hours
SESSION_IDLE_TIMEOUT = 1800           # 30 minutes
SESSION_BIND_IP = True
SESSION_BIND_USER_AGENT = True
SESSION_DETECT_CLAIM_DRIFT = True

Security blueprint

How teams harden Django sessions in production

SessionArmor is designed for staged adoption. Start with session security, add audit logging, then build custom gates — each middleware works independently.

Phase 1 — Harden

Add SessionSecurityMiddleware. Bind sessions to fingerprints, enforce timeouts, and enable claim drift detection.

Phase 2 — Observe

Add AuditMiddleware. Capture structured audit events for every authenticated request. Feed into your SIEM.

Phase 3 — Gate

Build custom GateMiddleware subclasses for compliance checks, onboarding flows, and feature flags.

Security controls teams verify before shipping

  • • Session fixation prevention through fingerprint binding on every request.
  • • Absolute and idle timeouts to meet NIST AC-12 session termination requirements.
  • • Claim drift detection to catch mid-session privilege escalation attempts.
  • • Privacy-preserving audit logs that satisfy AU-3 without leaking PII.