Monday, May 20, 2024

Reactive frontend + Session Authentication (+ csrf ?)

With traditional frontend (like realized with Django templates), the user will GET the login form and in this step Django sends csrf token. Later, in 2nd step, you send credential and the csrf token to the server.

But in Django + Reactive frontend (Svelte in my case, but it is not important at all) solution, the Login form is created by Svelte. Them submission: not the real submission, but under the Submit button Svelte sends credentials to Django using FetchAPI. Maybe this submission is the 1st communication to Django server and so we haven't the csrf token yet (?!)

So I have realized the Session Authentication without any regard to csrftoken cookie. My login view is wrapped by csrf_exempt. Svelte form sends credentials, Django makes login() and sends sessionid cookie back. It works.

Now my question is: Is this solution safe enough? Or is it danger and I should first get the csrftoken cookie from server in some earlier request and add the header with csrftoken?

It is pain to have such question.
AI cannot answer it, instead it will write lot of text and code examples, without answering YES or NO, without understanding what I am asking.
Find other sources is difficult (StackOverflow) is difficult too. On one side many people say Session Authentication is safe for browsers, JWT is not safe at all (because the token is saved in LocalStorage, not KeyChain). On other side, it looks like almost nobody uses Session Authentication and in problems many people say: Just go to JWT.
That are reasons why it is difficult to realize the Session Authentication. But once realized, it is supereasy - no code, just the built-in cookie mechanism.

So what do you mean?
Or can you recommend some source which describes reactive frontend + sessionid & csrftoken cookies?

You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit

No comments:

Post a Comment