Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Django Rest Framework Session vs Token Authentication

Tags:

authentication

django-rest-framework

I'm using DRF, and I've enabled Session Authentication so that I can view the browseable API in my browser. In my mobile app, i'm using token authentication. I'm just curious, how does session authentication differ from token authentication in this context? It seems to me that they are more or less the same because with session based auth, a session id instead of a token id is stored in a cookie and used in the same way. Can anybody explain it better?

like image 291
Steve Walsh Avatar asked Mar 11 '14 10:03

Steve Walsh

People also ask

What is the difference between session authentication and token authentication?

The main difference is session-based authentication of the connection stores the authentication details. The session method makes the server store most of the details, while in the case of the token-based one the client stores them.

What is the best authentication for Django REST framework?

And these are all provided by drf(django rest framework) and other than these like oauth, oauth2 based authentication are provided by the efforts of the community with help of other python packages. And they can be easily used in the production environment.

What is session based authentication in Django?

In the session based authentication, the server will create a session for the user after the user logs in. The session id is then stored on a cookie on the user's browser. While the user stays logged in, the cookie would be sent along with every subsequent request.

What is the difference between session ID and session token?

The session token, also known as a sessionID, is an encrypted, unique string that identifies the specific session instance. If the session token is known to a protected resource such as an application, the application can access the session and all user information contained in it.

1 Answers

Sessions and cookies are mainly meant for browsers where the browser will take care of sending the cookie with every request to the server. This why the CSRF protection is only enabled by default for session authentication. On the other hand, token authentication will most probably used with non-browser clients where it stores the auth token and send it with each request in header. This token is not necessarily obtained by exchanging the credentials for a token similar to what happens in session authentication. There can be a use case where an admin generates these tokens and hands it to some other system client that will invoke your API, and clearly this client does not have to have a username and password to exchange it for a token.

like image 176
almalki Avatar answered Nov 06 '22 12:11

almalki
Sign in to Comment

Related questions

Is it possible to salt and or hash HOTP/TOTP secret on the server?
ClaimsAuthenticationManager vs. IAuthenticationFilter vs. OWIN Forms Authentication
Creating a secure login using sessions and cookies in PHP
Hacking authentication usind react-dev-tools
Why Neo4J docker authentication doesn't work
Actively maintained PHP libraries for user authentication? [closed]
What is the point of Authentication tokens on REST services
OAuth2 Resource Owner Password Credentials flow
Redo an AJAX call after failure
Authorizing REST Requests
Facebook OAuth login for iframe canvas apps displays a logo image and a Go to Facebook.com caption instead of logging in
WCF Service - certificates and message security with UserName authentication
Windows Authentication for Java Based web applications, How to?
How can I validate/secure/authenticate a JavaScript-based POST request?
Should the Auth Server be combined with the User Service in a microservices architecture?
What is the difference between AddJwtBearer and AddOpenIdConnect in .NET Core Authentication?
How do I restrict access to some methods in WCF?
How to find the object that called a method in Java
MSAL or ADAL library for use with Azure AD B2C and Xamarin
How to clear browser cache after user logout to prevent access to private info via 'Back' button

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!