Welcome to the Treehouse Community

The Treehouse Community is a meeting place for developers, designers, and programmers of all backgrounds and skill levels to get support. Collaborate here on code errors or bugs that you need feedback on, or asking for an extra set of eyes on your latest project. Join thousands of Treehouse students and alumni in the community today. (Note: Only Treehouse students can comment or ask questions, but non-students are welcome to browse our conversations.)

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and a supportive community. Start your free trial today.

Python Django REST Framework Security and Customization Token Authentication

nuri jeon
nuri jeon
14,376 Points

What is session context? I need some more explanation about some words please

So at the beginning of the course, Kenneth gave us some explanation of why we need to use Token Authentication. But I was having hard time understanding about certain words. Here's what Kenneth said

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ I’ve relied on Django’s authentication system to handle authentication for the API The session authentication that I’ve been using is best when I’m dealing with clients that are running in the same session context as the website. Usually these would be AJAX client.

For example maybe I’m building a REST framework API for my courses and a JavaScript app that will consume my API and display those courses. This JavaScript app could be inside a Django template and all communication with the API would be within the same context as the text of the website.

What happens when I go to build a mobile app that needs data from my API? I only need the data not the HTML and CSS. Session authentication isn’t going to work very well in this scenario because there’s no session to take advantage of +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

So my question is First Question from this sentence "The session authentication that I’ve been using is best when I’m dealing with clients that are running in the same session context as the website."

So from here, what does "same session context" mean? and why that would be AJAX Client?

2nd question is "I only need the data not the HTML and CSS. Session authentication isn’t going to work very well in this scenario because there’s no session to take advantage of"

From this part, So is session authentication related to HTML or CSS? I have no idea about this part. Please somebody help me out here :D

1 Answer

Alex Koumparos
seal-mask
.a{fill-rule:evenodd;}techdegree
Alex Koumparos
Python Development Techdegree Student 36,862 Points

Hi Nuri

Sessions, in this discussion context, are a layer on top of HTTP. When a client computer on the Internet connects to a server publishing an API, it is connecting using HTTP.

HTTP is, by design, stateless. Accordingly, when a server receives an HTTP request on a particular socket, it doesn't have to associate it with any previous requests on the same socket. Every time a client sends a request to the server, it must contain enough information for the server to fulfill the request just based on that request.

Obviously this is pretty inconvenient for building pretty much any kind of web application so a common way for web apps to overlay some state on this stateless protocol is through the creation of a "session". The way this works is that the first time you visit a website, the server creates a unique ID and gives it to the client in the Response. This information is saved in a cookie, and the ID from the cookie is sent back to the server on every subsequent request. This is how the server knows that the request it just received came from the same user as some previous request (and importantly in our situation, it knows the user was authenticated in a previous request and so is logged in).

The Django docs describe in detail how Django implements its sessions, but the important bit for the situation described by Kenneth in the video is this:

The Django sessions framework is entirely, and solely, cookie-based. It does not fall back to putting session IDs in URLs as a last resort

Cookies are only used by web browsers, so when we try to use the API from a non-browser source, such as a mobile app, we don't have the ability to use Django's sessions to maintain state. And since Django's standard authentication relies on sessions, we don't have access to this either.

Kenneth mentioned AJAX as an example, but his point is that sessions are available when a browser uses the API, but not when a non-browser uses the API.

Hope that helps,

Cheers

Alex