CSRF error django rest framework when using session auth

Question

I am building an api for interfacing with mobile applications that requires users to login. Just using session auth gives me a csrf error. I was able to fix it by providing credentials in basic auth, but I don't think this is ideal. This will be my first time developing for mobile devices. I was planning on using cordova, and I don't know if there is a way to store credentials on the user's device, or if the session data will be automatically stored on the devices. If the session data will be stored on the mobile devices automatically, that would be the ideal route to go. Has anyone else had similar issues with DRF session auth, or advice on if this is the best route to go or not?

Update:

I was able to get the csrf error to go away by using this from another post:

from rest_framework.authentication import SessionAuthentication

class NoCsrfSessionAuthentication(SessionAuthentication):
    def enforce_csrf(self, request):
        return

But this seemed to cause an error with the request.data parameter. It kept returning an empty query dict.

Answer 1

If you want to use session auth, but are confident that you can give up CSRF protection for a given view, the

@csrf_exempt

decorator will do just that. (If you are using class-based views, check out this: https://stackoverflow.com/a/14379073/1375015)

Since you are using session based authentication, your mobile applications must be storing some kind of session cookie. Therefore, you should also be able to store the csrftoken cookie and send it along with your http requests. However, even then I had some troubles with the django CSRF protection framework in the past.

Maybe switching to token authentication is an option?