#StackBounty: #django #django-rest-framework #django-csrf django rest framework – session auth vs token auth, csrf

Bounty: 50

I have DRF set with the default settings. My ajax clients works fine with the session authentication. I want another remote server to consume the same API as the javascript clients.

My login code is simple:

class Login(APIView):
    def post(self, request, *args, **kwargs):

        user = authenticate(username=username, password=password)

        if user is None:
            return Response(status=status.HTTP_401_UNAUTHORIZED)

        login(request, user)
        # ...

The issue is when I use a client from another host, like python requests, I get a CSRF error. According to DRF docs, I think I should use a token authentication instead.


  1. Why do I need token authentication? The sessionid cookie is already a token, why I can’t use it both for ajax clients and software clients? Thus avoid another separate db table for the tokens.

  2. Since I do want to use only session authentication, how to enforce CSRF only for ajax clients?

Get this bounty!!!