I am facing a big problem with my sessions in a Django project.
The back-end is hosted at .my-domain.org
and the front-end consumes the REST API of the back-end at .front-end.com
. In the future, other front-ends on completely different domains might appear.
How do I deal with such a situation when I use the session framework provided by Django? It seems like SESSION_COOKIE_DOMAIN
only allows session cookies to be set on one subdomain. The result is that if I want to be able to login at .my-domain.org
(i.e., SESSION_COOKIE_DOMAIN = None
) then I am not able to receive the session cookie back from .front-end.com
when it calls API endpoints. On the other hand, setting SESSION_COOKIE_DOMAIN
to .front-end.com
would prevent me to connect to the site admin. The situation is also impacted by SESSION_COOKIE_PATH
of course...
Any help is more than welcome. I am quite sure I'm not the first one who needs a REST API with session authentication to be accessible from external domains.
Essentially, there’s a part of the backend which pretends to be a browser for a while! It makes requests to your backend code and builds a HTML site by executing the JS part of the frontend code. Once it’s done, the browser gets an HTML response, which was produced by JS code. The Django server is used to provide JSON data for that rendering step.
First import a decorator called “api_view” and “Response” to return a response from API to frontend, Last but not least you need to import database references called models in Django (We will only use the User model). In the settings.py file, add the following lines:
It makes requests to your backend code and builds a HTML site by executing the JS part of the frontend code. Once it’s done, the browser gets an HTML response, which was produced by JS code. The Django server is used to provide JSON data for that rendering step.
In more detail: Your Django app reacts to the request. The requested URL is interpreted using your urls. py configurations. The correct view is selected to handle the request. The view code might use a model to get data from the database, and renders out a template, passing data in a context object to it. Phew.
Django uses cookies for session-based authentication, and those cannot typically be set across multiple domains. While you can work around this slightly with CORS and withCredentials
, this may be blocked by default in some browsers.
You are generally better off working with another authentication method when working across domains. Even if you are able to get CORS to work with cookies, you will also have to battle CSRF across domains, which Django REST Framework points out in their documentation. I would recommend OAuth 2 because of the wide client support and the support within Django REST Framework for it, but others have used TokenAuthentication
without issues.
When using OAuth, you will need to set up your front end as a client and use the web authentication flow for authentication, as otherwise you are leaving private keys out in the open, which doesn't end well. This will work in a similar way to "single sign-on", but without requiring your front end to sign requests and hold private keys. You also won't need to bother with CSRF, as Django REST Framework only requires it for SessionAuthentication
.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With