sessions

Sessions are fine when they are treated like security-sensitive state. I set HttpOnly, Secure, and SameSite deliberately, rotate session identifiers after login, and keep idle timeout separate from absolute timeout. Weak cookie settings are still a co

Sessions store user state across requests. Django supports database, cache, file, and cookie-based sessions. I use cacheddb for read performance with database persistence. For APIs, I avoid sessions in favor of token auth. The request.session dict-lik