Thank you 🙏🏿 On Mon, May 20, 2024, 8:40 PM [email protected] <[email protected]> wrote:
> With traditional frontend (like realized with Django templates), the user > will GET the login form and in this step Django sends csrf token. Later, in > 2nd step, you send credential and the csrf token to the server. > > But in Django + Reactive frontend (Svelte in my case, but it is not > important at all) solution, the Login form is created by Svelte. Them > submission: not the real submission, but under the Submit button Svelte > sends credentials to Django using FetchAPI. Maybe this submission is the > 1st communication to Django server and so we haven't the csrf token yet (?!) > > So I have realized the Session Authentication without any regard to > csrftoken cookie. My login view is wrapped by csrf_exempt. Svelte form > sends credentials, Django makes login() and sends sessionid cookie back. It > works. > > Now my question is: Is this solution safe enough? Or is it danger and I > should first get the csrftoken cookie from server in some earlier request > and add the header with csrftoken? > > It is pain to have such question. > AI cannot answer it, instead it will write lot of text and code examples, > without answering YES or NO, without understanding what I am asking. > Find other sources is difficult (StackOverflow) is difficult too. On one > side many people say Session Authentication is safe for browsers, JWT is > not safe at all (because the token is saved in LocalStorage, not KeyChain). > On other side, it looks like almost nobody uses Session Authentication and > in problems many people say: Just go to JWT. > That are reasons why it is difficult to realize the Session > Authentication. But once realized, it is supereasy - no code, just the > built-in cookie mechanism. > > So what do you mean? > Or can you recommend some source which describes reactive frontend + > sessionid & csrftoken cookies? > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/e8d3658a-0e28-468d-a6f6-10e058217605n%40googlegroups.com > <https://groups.google.com/d/msgid/django-users/e8d3658a-0e28-468d-a6f6-10e058217605n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAHZhoBOcw6xmCbekDmOuBMpt29ic_WUtCO5zUWBN--gE-i9%3D0A%40mail.gmail.com.
