-
Notifications
You must be signed in to change notification settings - Fork 304
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent SessionID cookie from being sent with JWT token HttpOnly Cookies on Login #325
Comments
The methods
https://github.com/pennersr/django-allauth/blob/36dd5a7dad52429143434517c50811927283e0bb/allauth/account/adapter.py#L401 My solution is to have a custom allauth account adapter and set it in my django app settings. from allauth.account.adapter import DefaultAccountAdapter
class DefaultAccountAdapterCustom(DefaultAccountAdapter):
def login(self, request, user):
pass
def get_login_redirect_url(self, request):
return None ACCOUNT_ADAPTER = 'somewhere.in.your.project.DefaultAccountAdapterCustom' |
This particular implementation of using the adapter to override login didn't work for me, since it looks like the session is being created before the custom login is called. My solution is to delete the session in custom login method from allauth.account.adapter import DefaultAccountAdapter
class DefaultAccountAdapterCustom(DefaultAccountAdapter):
def login(self, request, user):
del request.session |
I came accross the same issue, for me I am trying to delete both session and csrf cookie by below code by overriding DefaultAccountAdapter.
I believe it would be better to be handled by dj-rest-auth as sessions / csrf are not expected if we have set SESSION_LOGIN as False. |
Wondering if it is possible to disable the "sessionID" cookie from being sent after the user hits the login endpoint for dj-rest-auth (for my use case this is one of the social login endpoints).
Currently the login endpoint is sending back the following cookies:
I do not want to remove session authentication completely since if a user logs in through admin they should be able to still use their session authentication. I just want to prevent users logging in through dj-rest-auth social (jwt cookie based) login from receiving these cookies (so that they don't have both session and jwt cookie auth on at the same time).
My settings look as follow:
Sincere apologies if I am misunderstanding something here or not configuring the settings properly, I am still new to this library. I looked through the documentation and didn't find a configuration for this.
The text was updated successfully, but these errors were encountered: