Hi all, I know this is an old thread, but I have a solution for SPAs using httpOnly session cookies. Here is a demo with React and Django WITHOUT JWTs with httpOnly cookies for session and csrf: https://acwpython.pythonanywhere.com/authenticated/. The tutorial and open source repository is found here: https://github.com/Andrew-Chen-Wang/SPA-with-httponly-sessions .
The original purpose of this thread was for SPA development, not really for JWTs. I'm a maintainer at SimpleJWT, a repository that almost all tutorials use to show React/SPA/JS Frameworks and Django integration. I also agree with the security concerns for JWT usage on the browser. So I made this demo and tutorial overnight to make sure everyone stops using JWTs instead of sessions. Thanks for taking a look. Please spread the word to get people to stop using JWTs instead of sessions. Cheers On Monday, May 11, 2020 at 7:19:33 PM UTC-4 dans...@gmail.com wrote: > The place where JWT begins to get useful and important is when federated > login capabilities end-up in your app. That sort of thing seems more > the domain of python-social-auth packages like social-auth-core and > social-auth-app-django. Generating an authentication cookie doesn't > require JWT - Django already does that. > > On Mon, May 11, 2020 at 9:37 AM Derek Adair <d...@derekadair.com> wrote: > >> Maybe we can update the docs to show how you you would might use some of >>> the signing primitives instead of JWTs, but this also sounds a bit >>> dangerous 🤷♂️ >>> >> >> As someone hoodwinked into believing JWT was the way... I'd absolutely >> LOVE a clear and concise write up on how I might get my single page js apps >> to communicate securely with projects like Django Rest. >> >> Thanks for closing the door on JWT for me James. >> >> -- >> > You received this message because you are subscribed to the Google Groups >> "Django developers (Contributions to Django itself)" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to django-develop...@googlegroups.com. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/django-developers/adc7a8eb-6100-4639-af98-4bca9afaad0b%40googlegroups.com >> >> <https://groups.google.com/d/msgid/django-developers/adc7a8eb-6100-4639-af98-4bca9afaad0b%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/2ba4d87b-594a-4736-8889-47941facdaa3n%40googlegroups.com.