Reputation: 98
How to implement Remember me functionality with DRF JWT?
I am trying to implement a way for users to stay logged in my website using the JWT DRF implementation.
From the documentation it's suggested that as soon as a token is expired there is no way to refresh them.
Given that a user might close their browser, my only two options are either having long-lived tokens or storing the username/password in localStorage, and both options seem insecure.
Is there a different way to achieve this? Alternatively is there a way to only have long-lived tokens depending on what a user wants (i.e chooses the remember me option)
Upvotes: 1
Views: 1386
Answers (1)
Reputation: 440
Yup, JWTs are intended to authenticate sessions short-term only, even with refresh. If you're designing for the browser, I suggest you use regular old SessionAuthentication to keep users logged in longer-term (e.g. 30 days).
If you want to avoid cookies, you can use a combination of a short-lived and long-lived tokens using, for example, OAuth2 -- check out Django OAuth Toolkit which integrates with DRF. The short-lived token authenticates the session just like a JWT, while the long-lived token (30-60 day lifetime) is used to get a short-lived token from your API and can be stored in localStorage.
Upvotes: 1
Related Questions
- How to store JWT tokens in HttpOnly cookies with DRF djangorestframework-simplejwt package?
- Using JWT authentication with Django/DRF and Storing JWTs in HttpOnly Cookies
- JWT and custom authentication in Django Rest Framework
- Django Rest Framework Custom JWT authentication
- DRF - Token authentication alongside normal
- JWT authentication in django rest framework
- Implement "Remember Me" Django
- Using Django rest_framework_jwt, how to allow auto login with on-time use code?
- Token Authentication Implementation in Django Rest Framework
- Persist login in Django Rest Framework