Django’s Session Authentication with a Single Page Application

In this article, I’ll assume you’re familiar with Django, Django Rest Framework, React, and a little bit of Docker and Nginx. However, I should state I’m quite new to Docker and Nginx. I’ll also assume you have Python, Pip, Node, and Docker set up. I’ll be using Pipenv, but if you want to install your Python dependencies globally, I guess I can’t stop you. My goal is to show a development set up. I recently worked on using Django session authentication with a Single Page Application (SPA) and Django Rest Framework.

I recently attempted to authenticate users on a React app while using a Django Rest Framework (DRF) backend. The simplest option seemed to be using JWT token authentication. However, a quick google search will reveal what seems to be an unanswered debate over whether keeping a JWT in local storage is secure (That statement is oversimplified but have a look into it if you’re curious). After a few days of reading, I decided that session authentication was less risky.

Although it may seem straightforward to use sessions with a SPA, the built-in Django session authentication is designed primarily for a web app using Django templates, not a SPA running on another domain. The CSRF-Tokens used in session authentication are there specifically to prevent authenticated requests from another domain, creating a…