feat(session): Single user session (#13416)

Author: kiblik

dojo/settings/settings.dist.py

@@ -214,6 +214,8 @@
     # `RemoteUser` is usually used behind AuthN proxy and users should not know about this mechanism from Swagger because it is not usable by users.
     # It should be hidden by default.
     DD_AUTH_REMOTEUSER_VISIBLE_IN_SWAGGER=(bool, False),
+    # Some security policies require allowing users to have only one active session
+    DD_SINGLE_USER_SESSION=(bool, False),
     # if somebody is using own documentation how to use DefectDojo in his own company
     DD_DOCUMENTATION_URL=(str, "https://documentation.defectdojo.com"),
     # merging findings doesn't always work well with dedupe and reimport etc.
@@ -919,6 +921,7 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
     "auditlog",
     "pgtrigger",
     "pghistory",
+    "single_session",
 )
 
 # ------------------------------------------------------------------------------
@@ -1149,6 +1152,13 @@ def saml2_attrib_map_format(din):
         ("dojo.remote_user.RemoteUserAuthentication",) + \
         REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"]
 
+# ------------------------------------------------------------------------------
+# SINGLE_USER_SESSION
+# ------------------------------------------------------------------------------
+
+SESSION_ENGINE = "django.contrib.sessions.backends.db"
+SINGLE_USER_SESSION = env("DD_SINGLE_USER_SESSION")
+
 # ------------------------------------------------------------------------------
 # CELERY
 # ------------------------------------------------------------------------------

requirements.txt

@@ -19,6 +19,7 @@ django-slack==5.19.0
 django-watson==1.6.3
 django-prometheus==2.4.1
 Django==5.1.13
+django-single-session==0.2.0
 djangorestframework==3.16.1
 html2text==2025.4.15
 humanize==4.14.0