User authentication in Django
Django comes with a user authentication system. It handles user accounts, groups, permissions and cookie-based user sessions. This section of the documentation explains how the default implementation works out of the box, as well as how to extend and customize it to suit your project’s needs.
Overview
The Django authentication system handles both authentication and authorization. Briefly, authentication verifies a user is who they claim to be, and authorization determines what an authenticated user is allowed to do. Here the term authentication is used to refer to both tasks.
The auth system consists of:
- Users
- Permissions: Binary (yes/no) flags designating whether a user may perform a certain task.
- Groups: A generic way of applying labels and permissions to more than one user.
- A configurable password hashing system
- Forms and view tools for logging in users, or restricting content
- A pluggable backend system
The authentication system in Django aims to be very generic and doesn’t provide some features commonly found in web authentication systems. Solutions for some of these common problems have been implemented in third-party packages:
- Password strength checking
- Throttling of login attempts
- Authentication against third-parties (OAuth, for example)
Installation
Authentication support is bundled as a Django contrib module in django.contrib.auth
. By default, the required configuration is already included in the settings.py
generated by django-admin
startproject
, these consist of two items listed in your INSTALLED_APPS
setting:
-
'django.contrib.auth'
contains the core of the authentication framework, and its default models. -
'django.contrib.contenttypes'
is the Django content type system, which allows permissions to be associated with models you create.
and these items in your MIDDLEWARE_CLASSES
setting:
-
SessionMiddleware
manages sessions across requests. -
AuthenticationMiddleware
associates users with requests using sessions. -
SessionAuthenticationMiddleware
logs users out of their other sessions after a password change.
With these settings in place, running the command manage.py migrate
creates the necessary database tables for auth related models and permissions for any models defined in your installed apps.
Usage
Using Django’s default implementation
- Working with User objects
- Permissions and authorization
- Authentication in web requests
- Managing users in the admin
API reference for the default implementation
Customizing Users and authentication
© Django Software Foundation and individual contributors
Licensed under the BSD License.
https://docs.djangoproject.com/en/1.9/topics/auth/index/