djoser icon indicating copy to clipboard operation
djoser copied to clipboard

Published 20 hours ago verified publisher icon sunscrapers

Session authentication

Open Amaelb opened this issue 5 years ago • 6 comments

As mentioned in #373, session authentication is working in djoser.

I would like to advocate to keep session authentication working after the code refactoring announced by @dekoza in #373 .

While token based auth in django is convenient, the need to use local (or session) storage to store them is a potential security breach : see for instance this very opinionated article or those one.

Thus using session auth is sometimes required, the drawback being the need to mitigate CSRF attacks, which is pretty well handled by django.

BTW, some people have even spent time to code this by hand .

Anyway, thank you for this great library.

Amaelb avatar Jun 03 '19 19:06 Amaelb

This feature needs to be at least properly documented to avoid confusion like in #394

dekoza avatar Jun 04 '19 11:06 dekoza

What is the status of this? I need session authentication since I'm migrating from Django forms to DRF slowly. I currently have a hybrid of Django templates and Vue, all using session which is fine, but I can't use Djoser if session is not supported.

BojanKogoj avatar Apr 10 '20 10:04 BojanKogoj

me too, i need Session authentication

ghost avatar Sep 17 '20 17:09 ghost

it's work for me

DJOSER = {
  ......
    'CREATE_SESSION_ON_LOGIN': True,   
....
}

ghost avatar Sep 20 '20 11:09 ghost

CREATE_SESSION_ON_LOGIN doesn't enable session authentication - there is a sessionid set in the set_password method but it doesn't appear to be created anywhere else. For instance, if a user logs in, no sessionid cookie is passed to the frontend.

It would be great if this was possible as it would allow using the same auth method between API calls and regular Django views.

YPCrumble avatar Jul 01 '21 20:07 YPCrumble

CREATE_SESSION_ON_LOGIN doesn't enable session authentication - there is a sessionid set in the set_password method but it doesn't appear to be created anywhere else. For instance, if a user logs in, no sessionid cookie is passed to the frontend.

It would be great if this was possible as it would allow using the same auth method between API calls and regular Django views.

Im not sure what you are trying to do, but if you have an active session you can call any authenticated API without passing the token, you just need to enable passing credentials on your client.

Also, when you're working with sessions, they tend to be very finicky, you need to make sure you are on a secure session, Access-Control-Allow-Origin is not a wildcard (*), if SameSite is set to lax or strict...

Jonhyfun avatar Aug 28 '23 21:08 Jonhyfun