Django Authentication and Session Management

Django Framework provides a default user authentication service, which is implemented as a backend and depends on default session management.  The form and view classed for login is provided but we need implement our own page template!

There is a full user login implementation on Django's default administration site (django.contrib.admin).  Even it does not depend on the default form and view classes, it does provide good enough idea about how the user authentication and session management work in a Django application.

How Django handle user authentication?

attributes in settings:

• LOGIN_URL default is /accounts/login/
• LOGIN_REDIRECT_URL is /accounts/profile/

The default login template is registration/login.html,

The default login view is django.contrib.auth.views.login.

• load the handle django.contrib.auth.forms.AuthenticationForm
• using django.contrib.auth.authenticate(**credentials) to authenticate credentials collected from the form
• try all authentication backends (AUTHENTICATION_BACKENDS) and stop at the first match!
• order takes priority!
• if credentials match, a user object will be created and return back!
• The user object is an instance of django.contirb.auth.models.User
• diango.contrib.auth.login(request, user)
• Here, session will be created and/or updated and request will be updated
• Then the Session Middleware will take over to do the session and cookie management!

The login decorator: login_required.

Default Authentication Backend

AUTHENTICATION_BACKENDS = (
    'django.contrib.auth.backends.ModelBackend',
    )

How Django manage user session?

Django's session implementation:

• attributes in settings:
• SESSION_ENGINE django.contrib.sessions.backends.db
• SESSION_COOKIE_NAME sessionid
• SESSION_COOKIE_AGE the age of session cookie, id seconds
• SESSION_COOKIE_SECURE force to use https to send cookies.
• middleware class MIDDLEWARE_CLASSES
• django.contrib.sessions.middleware.SessionMiddleware
• application name INSTALLED_APPS
• django.contrib.sessions
• about sessions models: django.contrib.sessions.models.Session
• session = Session.objects.get(pk='sessionidabeislleislksdiels')
• session.expired_data = datetime.datetime(...)
• session.save()
• newData = {'nome':'abeisl', 'newdate':'dieslaejl'}
• session.session_data=Session.objects.encode(newData)
• session.get_decoded()
• Session Table Clean Up Script is provided in the django-admin.py.  It will deletes all sessions in the session table whose expire_date is in the past!  If user manually logout, the corespondent session record will be removed.
• An session record with Anonymous permission will be created whenever any user visit any page!

we could easily set up a seesion based on cache or file, just need set up different engines in settings.py

References

• Available Settings Reference: http://docs.djangoproject.com/en/dev/ref/settings/
• User Authentication in Django: http://docs.djangoproject.com/en/dev/topics/auth/
• How to Use Sessions: http://docs.djangoproject.com/en/dev/topics/http/sessions/