Ethan, Thanks for the feedback. I did create my own middleware, and it was ridiculously simple. I just looked at the django.middleware files and saw how easy it was.
I only had to make exceptions for the pages pertaining to resetting a forgotten password (from django.contrib.auth.views) and the login page. I put them in the same middleware, because it was so simple. I would tend to agree that they should be separate, except that they're each handling one end of an 'if' block (logged in or not), and it might actually make more sense to the maintenance programmer to have them together. For the curious, here's my code. Also, for the wise and helpful who might find fatal flaws and will help me correct them: http://pastebin.com/f4ddc98b6 Incidentally, this is part of a larger effort to make contrib.auth PCI compliant. Since this was the last step in that effort, I'm planning to write up the whole thing, since I asked about how to do it and didn't get any answers. PCI compliance requires password expiration after 90 days (max), a minimum password length, letters and numbers in the password, and disallowing users to re-use old passwords for a minimum of the four most recently used. Shawn --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---