Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Django Rest Framework + React - token vs session authentication

Although there are many posts about this topic (or closely related) on SO, I did not find what I am looking for.

As the title suggests I am using Django Rest Framework as a backend, and React as a frontend.

Now I implemented token authentication, and it works perfeclty. The only problem is that the token is stored in React's state, and if the user refreshes the page, he is no longer logged in (the token is lost).

So, now I want to switch to session authentication, since the problem is solved then. But that will require me to do some research, and before I go there I'd like to know if that is the best choice.

My question:

Do I need to use session authentication to have users stay logged in, even when the React's state changes. Or can I also achieve the same thing with token authentication (in a safe and responsible way?)

I figure I can save the token in a cookie, but that doesn't seem safe to me.

EDIT:

Later I realized, why not just store the token in a session?

like image 962
Rik Schoonbeek Avatar asked Aug 11 '18 13:08

Rik Schoonbeek


People also ask

Which authentication is best in Django REST framework?

JSON Web Token (JWT) Authentication This is a new and popular standard that works similar to TokenAuthentication except that it does not need to save tokens in the database.

What is session based authentication in Django?

SessionAuthentication. This authentication scheme uses Django's default session backend for authentication. Session authentication is appropriate for AJAX clients that are running in the same session context as your website. If successfully authenticated, SessionAuthentication provides the following credentials.

What is token in Django REST framework?

Token authentication refers to exchanging username and password for a token that will be used in all subsequent requests so to identify the user on the server side. This article revolves about implementing token authentication using Django REST Framework to make an API.


1 Answers

SessionAuthentication would be the most straightforward way to achieve what you want. The configuration is described at http://www.django-rest-framework.org/api-guide/authentication/#setting-the-authentication-scheme This will set a session id in a cookie that is handled by the browser.

Alternatively you can store a token in the browser's cookie but that is vulnerable to XSS attacks and other javascript attacks. For more security you can store the token in an HttpOnly cookie. The cookie would be persisted across tab/window closes by the browser.

Also to clarify cookie handling is built into most browsers. Your react state is in userland and lives in a different memoryspace than cookie storage.

More info:

  1. Ask HN: Cookies vs. JWT vs. OAuth
  2. https://developer.okta.com/blog/2017/08/17/why-jwts-suck-as-session-tokens
  3. http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/
like image 79
Harry Moreno Avatar answered Oct 22 '22 22:10

Harry Moreno