Django - How user authentication is different than session authentication

1
votes

I am new to django trying to write some apis. Django has user based authentication request.user.is_authenticated() to check whether a valid user is logged in or not. There is also session authentication. 1. How session authentication is different than django user based authentication? 2. Which is more secure?

I am trying to write rest apis that calls third party apis.

3.Is it posssible to use tastypie SessionAuthentication without using model?

I didn't find any rest api example that has implemented tastypie without model.

1
djangotastypie
What is "user based authentication"? request.user.is_authenticated() tries to look for the cookie sent by the user in the session table. If the cookie exits in db, it means the client is authenticated. There is not distinction between "user based authentication" and session authentication. They are one and the same thing. - xyres
session authentication is different than is_authenticated. is_authenticated is Read-only attribute which is always True (as opposed to AnonymousUser.is_authenticated which is always False). This is a way to tell if the user has been authenticated. This does not imply any permissions and doesn’t check if the user is active or has a valid session. Even though normally you will check this attribute on request.user to find out whether it has been populated by the AuthenticationMiddleware (representing the currently logged-in user), you should know this attribute is True for any User instance. - gourav kumar
Ah, yes. Excuse my mistake. I should have rather said that Django would set request.user to the currently logged in user which it determines by looking at the cookie and finding a match in the session table. So, request.user.is_authenticated is still, by proxy, session based auth. - xyres

1 Answers

2
votes

It usually depends on how you want to approach the authentication, they both are secure but session authentication is usually more secure when you don't have an SSL connection. Basic authentication would mean that you have to send the user email and password (credentials) every time you want to get anything from your API, while session authentication works with a session token inside a cookie that you store in your browser (or what ever app) in order to make that authentication and let the server know that you are you.

I completely recommend you to watch this talk https://www.youtube.com/watch?v=j8Yxff6L_po if you know a little bit of Node (also it might be useful if you don't), there, he explains pretty much all these differences. But on summary what I mean is that you can do auth with both altho I think session authentication is more secure since you don't need to send the users' credentials every time.