3

Is there any way to maintain state (session) of the user instead of storing tokens in local storage on the client side which makes them vulnerable to theft. And how exactly can we do that in Django Rest Framework?

Right now I have OAuth implemented in my project, however, since access tokens can be exchanged or stolen, I am wondering if maintaining a session on server-side in Django is possible or not?

Masoud Zarjani
  • 415
  • 1
  • 6
  • 16
Moorani
  • 117
  • 11
  • 5
    REST is stateless by definition. Also, session ids can also be exchanged or stolen. – Kos Apr 23 '18 at 08:39
  • @Kos Right, how to make sure that tokens are sent by the one who acquired them initially.. something like proof of possession? – Moorani Apr 23 '18 at 08:42
  • 1
    Sessions + REST doesn't make any sense. But maybe [JSON Web Token](https://jwt.io/) is what you need. There is a DRF [lib](https://github.com/GetBlimp/django-rest-framework-jwt) for it. – Raz Apr 23 '18 at 13:26
  • Storing the access token in localstorage is not any more vulnerable to theft than any other kind of client side token. – Håken Lid Jul 13 '18 at 23:06
  • @Moorani did you find any solution for this – Thameem May 30 '19 at 10:19
  • @Thameem no, I decided to go with LocalStorage/Cookie option for storing JWT tokens. Also, session thingy doesn't make sense when working with decoupled applications. – Moorani May 30 '19 at 23:34

1 Answers1

-4

Use the below statement:

request.session['mysession'] = "username"

gaganso
  • 2,585
  • 2
  • 22
  • 37
Deji Kadri
  • 5
  • 4