Skip to content Skip to sidebar Skip to footer
Home / Django / Django Rest Framework / Django Sessions / Javascript

Get Session ID For A Django Site In Javascript

Post a Comment
How can I get the django session ID that is ultimately stored in the cookie using javascript? The reason I need to get that ID is that I'm doing everything from a REST API, includi

Solution 1:

Hey i think this approach is not the best one, your backend is having a door here for XSS attacks , i think the best you can do its use a token for authentication even normal token.auth that is well explained on django-rest-framework docs http://www.django-rest-framework.org/api-guide/authentication/ but i use a lot JWT JSONweb token auth so u dont compromise other data than token, username or other custom stuff like roles or something your app logic have, since ionic its angular JS you can take a look into http://frederiknakstad.com/2013/01/21/authentication-in-single-page-applications-with-angular-js/ to see how you can manage the authentication process on frontend mobile app.


Solution 2:

Django cookies are not available by default to Javascript as the SESSION_COOKIE_HTTPONLY setting is set to True by default, for good reason. You can set this to False and then your cookie will be accessible, but then your site will be more vulnerable to XSS.


Solution 3:

Following on from codeadict's answer:

You could use JSON Web Tokens but they are a tiny bit more involved. The easiest solution is to use token authentication, you could follow the instructions here to get that setup:

http://www.django-rest-framework.org/api-guide/authentication/#tokenauthentication

A potentially better solution as you are using Ionic (which uses AngularJS under the hood) is a package called django-rest-auth built for doing exactly what you are doing.

The instructions to get that setup are here http://django-rest-auth.readthedocs.org/en/latest/ and they have also released an AngularJS module here: https://github.com/Tivix/angular-django-registration-auth

Don't forget to turn HTTPS / SSL on as using token auth without it is extremely insecure.

The angular module linked above handles getting and storing these tokens for you, you then need to include the access token on every request you make to the api (via $http or $request or whatever)


You may like these posts

Post a Comment for "Get Session ID For A Django Site In Javascript"