#StackBounty: #django #django-rest-framework #django-csrf django rest framework – session auth vs token auth, csrf
My login code is simple:
class Login(APIView): def post(self, request, *args, **kwargs): user = authenticate(username=username, password=password) if user is None: return Response(status=status.HTTP_401_UNAUTHORIZED) login(request, user) # ...
The issue is when I use a client from another host, like python
requests, I get a CSRF error. According to DRF docs, I think I should use a token authentication instead.
- Why do I need token authentication? The sessionid cookie is already a token, why I can’t use it both for ajax clients and software clients? Thus avoid another separate db table for the tokens.
- Since I do want to use only session authentication, how to enforce CSRF only for ajax clients?