Django REST Framework: how to use session based authentication correctly?

I am creating a project with Python / Django 1.7.1 and Django REST Framework.

I have two subdomains for a project:

• api.myproject.com
• www.myproject.com

WWW host contains a website that users can log in to. The REST backend is located on the API node.

I have configured Django REST Framework like this:

REST_FRAMEWORK = {   
    'PAGINATE_BY': 10,
    'PAGINATE_BY_PARAM': None,
    'MAX_PAGINATE_BY': 10,
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework.authentication.SessionAuthentication',
        'rest_framework.authentication.TokenAuthentication',
    ),
}

      

        
        
        
      

    

Basically: I'm using session based authentication for AJAX on WWW host and token based authentication for android app.

Now here's the problem. A user who is logged in to the WWW host can use the REST API on the API host since session authentication is enabled. The WWW host runs JavaScript that makes API calls to the API host. This works great, but when the user logs into the WWW host and then opens a new tab and navigates to the API host, the user can just LOOK at the REST API and it is not my intention to do so.

Is there anyway not to show REST API host when user logged into WWW host?

I configured session cookie domain and CSRF cookie domain as follows:

DOMAIN = 'myproject.com'
SESSION_COOKIE_DOMAIN = '.' + DOMAIN
CSRF_COOKIE_DOMAIN = SESSION_COOKIE_DOMAIN

      

        
        
        
      

    

I changed this to:

DOMAIN = 'myproject.com'
SESSION_COOKIE_DOMAIN = 'www.' + DOMAIN
CSRF_COOKIE_DOMAIN = SESSION_COOKIE_DOMAIN

      

        
        
        
      

    

But when trying this REST API is not available through session validation when user logged into WWW host because cookie is only set for WWW host ...

Any tips for my problem? :-)

Thanks in advance!

Best regards, K.