diff --git a/config/settings/base.py b/config/settings/base.py
index a6ffdb954bdedbb32a00afdd985238cf736ae3b3..e08e45202813e623741d20858985074ac005c5e0 100644
--- a/config/settings/base.py
+++ b/config/settings/base.py
@@ -66,6 +66,11 @@ USE_TZ = True
 ALLOWED_HOSTS = ['localhost', '127.0.0.1', SERVER_FQDN,
     '{0}.ligo.org'.format(SERVER_HOSTNAME)]
 
+# Sessions settings -----------------------------------------------------------
+SESSION_COOKIE_AGE = 3600
+SESSION_ENGINE = 'user_sessions.backends.db'
+LOGOUT_REDIRECT_URL = '/'
+
 # LVAlert and LVAlert Overseer settings ---------------------------------------
 # Switches which control whether alerts are sent out
 SEND_XMPP_ALERTS = False
@@ -307,7 +312,8 @@ MIDDLEWARE = [
     'core.middleware.api.ClientVersionMiddleware',
     'core.middleware.api.CliExceptionMiddleware',
     'django.middleware.common.CommonMiddleware',
-    'django.contrib.sessions.middleware.SessionMiddleware',
+    'core.middleware.proxy.XForwardedForMiddleware',
+    'user_sessions.middleware.SessionMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'ligoauth.middleware.ShibbolethWebAuthMiddleware',
@@ -326,7 +332,7 @@ INSTALLED_APPS = [
     'django.contrib.auth',
     'django.contrib.admin',
     'django.contrib.contenttypes',
-    'django.contrib.sessions',
+    'user_sessions',
     'django.contrib.sites',
     'django.contrib.staticfiles',
     'django.contrib.messages',
@@ -342,6 +348,7 @@ INSTALLED_APPS = [
     'guardian',
     'django_twilio',
     'django_extensions',
+    'django.contrib.sessions',
 ]
 
 # Aliases for django-extensions shell_plus
diff --git a/config/settings/dev.py b/config/settings/dev.py
index 69b1564716ca11f6c7abe537cfffc519da5ffd12..4a224125ec35ac4dbbd7da2a630fb5ea7181e6ff 100644
--- a/config/settings/dev.py
+++ b/config/settings/dev.py
@@ -38,12 +38,6 @@ if 'silk' in INSTALLED_APPS:
     # prevent DOS attacks, so should not be changed in production.
     DATA_UPLOAD_MAX_MEMORY_SIZE = 20*(1024**2)
 
-# Add XForwardedFor middleware directly before debug_toolbar middleware
-# if debug_toolbar is enabled and DEBUG is True.
-if DEBUG and debug_middleware in MIDDLEWARE:
-    MIDDLEWARE.insert(MIDDLEWARE.index(debug_middleware),
-        'core.middleware.proxy.XForwardedForMiddleware')
-
 # Tuple of IPs which are marked as internal, useful for debugging.
 # Tanner (5 Dec. 2017): DON'T CHANGE THIS! Django Debug Toolbar exposes
 # some headers which we want to keep hidden.  So to be safe, we only allow
diff --git a/config/urls.py b/config/urls.py
index 1d3db0dc00a4320424cb9b004c1bad8b2c7e7618..1a1781b2f2298cbfa8ec454ab613751aede1d885 100644
--- a/config/urls.py
+++ b/config/urls.py
@@ -65,6 +65,9 @@ urlpatterns = [
     # (r'^admin/doc/', include('django.contrib.admindocs.urls')),
     url(r'^admin/', admin.site.urls),
 
+    # sessions
+    #url(r'', include('user_sessions.urls', 'user_sessions')),
+
 ]
 
 # We don't require settings.DEBUG for django-silk since running unit tests
diff --git a/gracedb/core/middleware/proxy.py b/gracedb/core/middleware/proxy.py
index 115dfa121ec5bb2ebb9580d5196666b499d4e493..c9293ad34a88cd3f9c6f1158b09beb9ce41be785 100644
--- a/gracedb/core/middleware/proxy.py
+++ b/gracedb/core/middleware/proxy.py
@@ -1,17 +1,20 @@
-from django.utils.deprecation import MiddlewareMixin
-from django.conf import settings
-from django.http import HttpResponse
 
-class XForwardedForMiddleware(MiddlewareMixin):
-    def process_request(self, request):
-        if ('HTTP_X_FORWARDED_FOR' in request.META and settings.DEBUG and
-            'debug_toolbar' in settings.INSTALLED_APPS):
 
-            # If we're in debugging mode and the debug toolbar is on AND there
-            # is a forwarded IP address, then set REMOTE_ADDR to be the value
-            # of the HTTP_X_FORWARDED_FOR header. This allows the debug toolbar
-            # to work as expected. As of now, there is only one other place in
-            # the server code where REMOTE_ADDR is used, and it's handled
-            # properly, so this won't affect it.
+class XForwardedForMiddleware(object):
+
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        # Process request -----------------------------------------------------
+        if request.META.has_key('HTTP_X_FORWARDED_FOR'):
             request.META['REMOTE_ADDR'] = \
                 request.META['HTTP_X_FORWARDED_FOR'].split(",")[0].strip()
+
+        # Get response --------------------------------------------------------
+        response = self.get_response(request)
+
+        # Process response ----------------------------------------------------
+
+        # Return response -----------------------------------------------------
+        return response
diff --git a/requirements.txt b/requirements.txt
index 14b562e56aa8660ada91abdfbf82222d98a962f1..f2d6223b2b9d71352080482d23902956276d08d1 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -7,6 +7,7 @@ django-maintenance-mode==0.7.2
 django-model-utils==3.1.1
 django-silk==3.0.1
 django-twilio==0.9.0
+django-user-sessions==1.6.0
 djangorestframework==3.9.0
 flake8==3.5.0
 gunicorn==19.7.1