π§ Auth in Django + React
1. Session-Based Authentication
(Djangoβs default way)
- How it works
- React sends username + password β Django checks β Django sets a session ID cookie.
- Browser automatically sends the session cookie on every request.
- Django knows who you are by looking up the session in the database.
- Pros
- Simple (already built into Django).
- Secure against token theft (cookies are httpOnly + secure if configured).
- No extra setup (no external library needed).
- Works well if frontend & backend are on the same domain.
- Cons
- More annoying with cross-origin setups (React on
localhost:3000, Django onlocalhost:8000) β need CORS and CSRF configs. - Doesnβt scale well for mobile apps / multiple clients (requires cookie/session handling).
- Harder if you want to expose your API to third-party clients (like a public API).
- More annoying with cross-origin setups (React on
- Best when
- React frontend + Django backend live on same domain.
- You donβt expect to have mobile apps or external API users.
- Simpler project, internal tool, school/university project, etc.
2. Token/JWT-Based Authentication
(common for React/SPA/mobile apps)
- How it works
- Pros
- Frontend-agnostic β works with React, mobile apps, third-party clients.
- Stateless (no DB lookup needed on every request β better for scaling).
- Cleaner separation of frontend & backend.
- Industry standard for modern SPAs.
- Cons
- Tokens can be stolen if stored in
localStorage(XSS vulnerability). Needs secure handling. - Slightly more setup (install
djangorestframework-simplejwtor similar). - You need to handle token refresh (JWTs usually expire quickly).
- Tokens can be stolen if stored in
- Best when
- React frontend + Django backend are on different domains.
- You want mobile app support in the future.
- You expect to expose API to external developers.
- Larger, more scalable projects.
ποΈ Quick Mindmap Style
AUTH OPTIONS
β
βββ Session-Based (Default Django)
β βββ Stores session in DB
β βββ Uses cookies automatically
β βββ Easier to set up
β βββ Harder with CORS/CSRF
β βββ Best for small/same-domain apps
β
βββ JWT / Token-Based
βββ Returns JWT to frontend
βββ React stores token
βββ Sent via Authorization header
βββ Stateless (scales better)
βββ Needs secure token handling
βββ Best for modern SPAs, mobile apps, APIs