I am trying to create some API for my application.
I also have a normal website.
I am not using any secure connection.
Assuming I login into my normal website and then copy the session-id using inspect tools. and using postman set the cookie to the API and send the request, will the authentication middleware set the request.user based on the session-id.
Yes, if you copy all cookies acquired from normal browser login into Postman - back-end will check this same cookie (until postman or user logouts and makes this session-id invalid) and set user according to it.
However, as you stated, you are not using any secure connection. This is really bad practice. Nowadays https is almost standard in any ways of communication, let alone having any authentication info included. So you should definitely check using https for django site. If you are making an API for django app - check Django Rest Framework.
Also, APIs may work with some kind of password / token authentication. Only browser js-code (ajax, etc) may use Session Authentication, API calls from mobile apps / terminal should not.
