An authentication system based on tokens (JWT or random) stored in cookies is vulnerable to CSRF attacks, because cookies are sent automatically to server in each request and an attacker could build a harmful url link to your site. https://yoursite.com/delete?something=1 To protect your site it is needed to use a CSRF token that your application … Read more
Here’s a simple view that I’m using to log out: from rest_framework import status from rest_framework.response import Response from rest_framework.views import APIView class Logout(APIView): def get(self, request, format=None): # simply delete the token to force a login request.user.auth_token.delete() return Response(status=status.HTTP_200_OK) Then add it to your urls.py: urlpatterns = [ … url(r’^logout/’, Logout.as_view()), ]
I think there is some confusion about the difference between MVC and Web Api. In short, for MVC you can use a login form and create a session using cookies. For Web Api there is no session. That’s why you want to use the token. You do not need a login form. The Token endpoint … Read more
JWT actually uses JWS for its signature. From the specification’s abstract: JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JavaScript Object Notation (JSON) object that is used as the payload of a JSON Web Signature (JWS) … Read more
Let me come to your questions a little later down the line and start by actually discussing the whole purpose of a refresh token. So the situation is: The user opens the app and provides his login credentials. Now, most probably the app is interacting with a REST backend service. REST is stateless, there isn’t … Read more
I think it’s well explained here — quoting just the key sentences of the long article: The general concept behind a token-based authentication system is simple. Allow users to enter their username and password in order to obtain a token which allows them to fetch a specific resource – without using their username and password. … Read more