How can I get the django session ID that is ultimately stored in the cookie using javascript?
The reason I need to get that ID is that I'm doing everything from a REST API, including authentication. So, the guys developing the mobile app are using ionic and they want to make a request to the API to get that session ID - and then use it in future requests. Any advice?
How can I get the django session ID that is ultimately stored in the cookie using javascript?
The reason I need to get that ID is that I'm doing everything from a REST API, including authentication. So, the guys developing the mobile app are using ionic and they want to make a request to the API to get that session ID - and then use it in future requests. Any advice?
Share Improve this question edited Mar 11, 2015 at 22:24 user764357 asked Mar 11, 2015 at 21:38 Alejandro VeintimillaAlejandro Veintimilla 11.6k25 gold badges107 silver badges188 bronze badges 1-
1
What is the problem with getting the cookie? The default name is
sessionid, but this is configurable viaSESSION_COOKIE_NAME. Note that I make no ments about the security of that approach ;-) – dhke Commented Mar 11, 2015 at 21:41
3 Answers
Reset to default 5Hey i think this approach is not the best one, your backend is having a door here for XSS attacks , i think the best you can do its use a token for authentication even normal token.auth that is well explained on django-rest-framework docs http://www.django-rest-framework/api-guide/authentication/ but i use a lot JWT JSONweb token auth so u dont promise other data than token, username or other custom stuff like roles or something your app logic have, since ionic its angular JS you can take a look into http://frederiknakstad./2013/01/21/authentication-in-single-page-applications-with-angular-js/ to see how you can manage the authentication process on frontend mobile app.
Django cookies are not available by default to Javascript as the SESSION_COOKIE_HTTPONLY setting is set to True by default, for good reason. You can set this to False and then your cookie will be accessible, but then your site will be more vulnerable to XSS.
Following on from codeadict's answer:
You could use JSON Web Tokens but they are a tiny bit more involved. The easiest solution is to use token authentication, you could follow the instructions here to get that setup:
http://www.django-rest-framework/api-guide/authentication/#tokenauthentication
A potentially better solution as you are using Ionic (which uses AngularJS under the hood) is a package called django-rest-auth built for doing exactly what you are doing.
The instructions to get that setup are here http://django-rest-auth.readthedocs/en/latest/ and they have also released an AngularJS module here: https://github./Tivix/angular-django-registration-auth
Don't forget to turn HTTPS / SSL on as using token auth without it is extremely insecure.
The angular module linked above handles getting and storing these tokens for you, you then need to include the access token on every request you make to the api (via $http or $request or whatever)