Session authentication - Githubissues

sunscrapers / djoser

REST implementation of Django authentication system.

MIT License

2.52k stars 460 forks source link

Session authentication #397

Open Amaelb opened 5 years ago

Amaelb commented 5 years ago

As mentioned in #373, session authentication is working in djoser.

I would like to advocate to keep session authentication working after the code refactoring announced by @dekoza in #373 .

While token based auth in django is convenient, the need to use local (or session) storage to store them is a potential security breach : see for instance this very opinionated article or those one.

Thus using session auth is sometimes required, the drawback being the need to mitigate CSRF attacks, which is pretty well handled by django.

BTW, some people have even spent time to code this by hand .

Anyway, thank you for this great library.

dekoza commented 5 years ago

This feature needs to be at least properly documented to avoid confusion like in #394

BojanKogoj commented 4 years ago

What is the status of this? I need session authentication since I'm migrating from Django forms to DRF slowly. I currently have a hybrid of Django templates and Vue, all using session which is fine, but I can't use Djoser if session is not supported.

ghost commented 4 years ago

me too, i need Session authentication

ghost commented 4 years ago

it's work for me

DJOSER = {
  ......
    'CREATE_SESSION_ON_LOGIN': True,   
....
}

YPCrumble commented 3 years ago

CREATE_SESSION_ON_LOGIN doesn't enable session authentication - there is a sessionid set in the set_password method but it doesn't appear to be created anywhere else. For instance, if a user logs in, no sessionid cookie is passed to the frontend.

It would be great if this was possible as it would allow using the same auth method between API calls and regular Django views.

Jonhyfun commented 1 year ago

CREATE_SESSION_ON_LOGIN doesn't enable session authentication - there is a sessionid set in the set_password method but it doesn't appear to be created anywhere else. For instance, if a user logs in, no sessionid cookie is passed to the frontend.

It would be great if this was possible as it would allow using the same auth method between API calls and regular Django views.

Im not sure what you are trying to do, but if you have an active session you can call any authenticated API without passing the token, you just need to enable passing credentials on your client.

Also, when you're working with sessions, they tend to be very finicky, you need to make sure you are on a secure session, Access-Control-Allow-Origin is not a wildcard (*), if SameSite is set to lax or strict...