Join Training
Home/Django/Users & Authentication
Auth, APIs & ProjectExtra· 35 min read

Users & Authentication

Add login, logout and protected pages with Django’s built-in auth.

What you will learn

  • Use Django’s auth system
  • Protect pages for logged-in users
  • Access the current user

Login built in

Django includes a full authentication system — users, passwords (securely hashed), login and logout. You barely write any of it yourself. Two functions do the heavy lifting: authenticate checks a username and password, and login remembers the user for future requests.

Authenticate and log a user in
from django.contrib.auth import authenticate, login

def my_login(request):
    user = authenticate(username=request.POST["username"],
                        password=request.POST["password"])
    if user is not None:
        login(request, user)
        return redirect("home")

Walking through it: authenticate(...) takes the submitted username and password and checks them against the stored users. If they match it returns that user; if not it returns None. The if user is not None check means "the login was correct" — so we call login(request, user) to start the session, then redirect them to the home page.

The login process from start to finish:

  1. The user submits the login form with their username and password (a POST).
  2. authenticate() checks those credentials against the user records in the database.
  3. If they are wrong it returns None and you show an error; if they are right it returns the matching user.
  4. login(request, user) saves the user’s id in a session (a cookie in the browser) so Django remembers them on the next request.
  5. You redirect them onward. From now on every page knows who they are until they log out.

A concrete example: say the user typed asha as the username and secret123 as the password.

Authenticate with real values
# what happens inside the view, with real values
user = authenticate(username="asha", password="secret123")
# if "asha" exists and the password matches:
#   user  ->  <User: asha>      (login succeeds)
# if the password is wrong, or no such user:
#   user  ->  None              (login fails)

Note: Output: If the password is correct, authenticate returns the asha user object, so login() runs and the browser is redirected to the home page — now signed in as Asha. If the password is wrong, it returns None, the if is skipped, and you show a "wrong username or password" message instead.

Protect a page

Some pages should only be visible to logged-in users. Instead of checking by hand in every view, you add the @login_required decorator above the view — a one-line guard:

@login_required blocks logged-out users
from django.contrib.auth.decorators import login_required

@login_required
def dashboard(request):
    return render(request, "dashboard.html")

The @login_required line sits on top of the view and wraps it. Before the dashboard code runs, Django checks: is this visitor logged in? If yes, the page loads normally. If no, Django automatically sends them to the login page instead — so logged-out users can never see the dashboard.

Note: In a template, {{ user }} is the logged-in user, and {% if user.is_authenticated %} checks if someone is logged in.

Q. How do you require login for a Django view?

Answer: The @login_required decorator redirects logged-out users to the login page.

✍️ Practice

  1. Add login and logout to a project.
  2. Protect a dashboard page with @login_required.

🏠 Homework

  1. Restrict your create/edit/delete pages to logged-in users.
Want to learn this with a mentor?

CodingClave runs guided, project-based training (28-day, 45-day & 6-month batches).

Explore Training →