diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index baf28ec2b38..2f4b7b8822f 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -214,6 +214,8 @@ # `RemoteUser` is usually used behind AuthN proxy and users should not know about this mechanism from Swagger because it is not usable by users. # It should be hidden by default. DD_AUTH_REMOTEUSER_VISIBLE_IN_SWAGGER=(bool, False), + # Some security policies require allowing users to have only one active session + DD_SINGLE_USER_SESSION=(bool, False), # if somebody is using own documentation how to use DefectDojo in his own company DD_DOCUMENTATION_URL=(str, "https://documentation.defectdojo.com"), # merging findings doesn't always work well with dedupe and reimport etc. @@ -919,6 +921,7 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param "auditlog", "pgtrigger", "pghistory", + "single_session", ) # ------------------------------------------------------------------------------ @@ -1149,6 +1152,13 @@ def saml2_attrib_map_format(din): ("dojo.remote_user.RemoteUserAuthentication",) + \ REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"] +# ------------------------------------------------------------------------------ +# SINGLE_USER_SESSION +# ------------------------------------------------------------------------------ + +SESSION_ENGINE = "django.contrib.sessions.backends.db" +SINGLE_USER_SESSION = env("DD_SINGLE_USER_SESSION") + # ------------------------------------------------------------------------------ # CELERY # ------------------------------------------------------------------------------ diff --git a/requirements.txt b/requirements.txt index 09f04207136..b40d5a46f1a 100644 --- a/requirements.txt +++ b/requirements.txt @@ -19,6 +19,7 @@ django-slack==5.19.0 django-watson==1.6.3 django-prometheus==2.4.1 Django==5.1.13 +django-single-session==0.2.0 djangorestframework==3.16.1 html2text==2025.4.15 humanize==4.13.0