Authentication (report)

<aside> 🔐

Overview of authentication approaches in the system: quick summary, session vs token comparison, and Django implementation details.

</aside>

Summary

Two primary approaches: Session-based and Token-based (JWT)
Sessions suit classic web UIs. Tokens or JWTs suit APIs, mobile, and microservices
Security: always use HTTPS, short lifetimes, protect against XSS and CSRF, audit access

Approach comparison

Criterion	Session-based	Token-based (JWT)
Server state	Session stored on server	Stateless on server
Clients	Mostly browsers (cookies)	Web, mobile, IoT, inter-service
Scalability	Needs shared store or sticky sessions	Easier horizontal scaling
Revocation	Terminate session server-side	Short exp, refresh tokens, blacklist
Risks	CSRF, cookie XSS	Token theft, XSS, client storage
When to choose	Traditional web, admin UIs	SPAs, mobile apps, public APIs

Session-based authentication in Django

Uses django.contrib.sessions and AuthenticationMiddleware
Flow: authenticate() → login() creates session → browser stores HttpOnly, Secure, SameSite cookie
Storage options: DB (django_session), cache (Redis, Memcached), file, signed cookies
Security
- SESSION_COOKIE_SECURE=True, SESSION_COOKIE_HTTPONLY=True, SESSION_COOKIE_SAMESITE='Lax' or 'Strict'
- CSRF protection via CsrfViewMiddleware and per-form tokens
- Reasonable SESSION_COOKIE_AGE and optional SESSION_EXPIRE_AT_BROWSER_CLOSE
Code sketch

from django.contrib.auth import authenticate, login, logout

def login_view(request):
    if request.method == 'POST':
        user = authenticate(request, username=u, password=p)
        if user:
            login(request, user)
            ...

def logout_view(request):
    logout(request)