User Authentication

Django's authentication system manages user accounts, logging in, and logging out — it verifies a username and password with authenticate(), starts a session with login(), ends it with logout(), and exposes the current user on every request as request.user.

Learn User Authentication in our free Django course — a beginner-friendly interactive lesson with worked examples, a practice exercise and a quick reference.

Part of the free Django course at LearnCodingFast — hands-on lessons with examples you run in your browser, plus practice exercises and a quick quiz.

In this lesson you'll create users the safe way with hashed passwords, sign people in and out, check whether a visitor is authenticated, and wire up Django's ready-made login and registration tools so you don't have to build them by hand.

Django ships with a built-in User model that lives in django.contrib.auth.models . Each user has fields like username , email , password , is_active , and is_staff . You almost never write this model yourself — Django created it and its database table for you when you ran your first migration.

The single most important rule of authentication: never set the password field directly . Always create accounts with User.objects.create_user() , which hashes the password before saving it. Storing a raw password is a serious security bug.

Signing someone in is two steps. First authenticate() checks the credentials and returns the matching User (or None if they are wrong). Then login() takes that user and starts a session so they stay signed in. To sign someone out, call logout() .

On every request, Django gives you request.user . For a signed-in visitor it is their User object; for an anonymous visitor it is an AnonymousUser . Check request.user.is_authenticated to tell them apart.

You rarely need to write login logic by hand. Django provides LoginView and LogoutView , and including django.contrib.auth.urls in your URLconf wires up the whole login, logout, and password-reset flow.

For sign-up, the UserCreationForm gives you a complete, validated registration form. Render it in a view, and on a valid POST call form.save() to create the account.

In a template you can show different links depending on whether the visitor is signed in:

Fill in the blanks so the view verifies the credentials and then starts the session. One blank should be authenticate and one should be login .

❌ Storing the raw password instead of using create_user()

Setting user.password = "plain" stores an unusable, insecure string — login will never succeed and real passwords are exposed.

✅ Fix: use User.objects.create_user(...) or user.set_password("...") so the password is hashed.

❌ authenticate() returns None for bad credentials

A wrong username or password makes authenticate() return None , and passing None to login() raises an error.

✅ Fix: always check if user is not None: before calling login() .

❌ Forgetting to call login() after authenticate()

authenticate() only verifies — it does not start a session. Skip login() and the visitor is never actually signed in.

✅ Fix: after a successful authenticate() , call login(request, user) to begin the session.

Build a miniature auth system: register a user with a hashed password, then log them in only when the credentials match.

Lesson 17 complete — you can sign users in and out!

You now know how the User model stores hashed passwords, how to create accounts with create_user(), how authenticate() and login() work together, how to sign out with logout(), how to check request.user.is_authenticated, and how Django's built-in auth views and UserCreationForm save you from writing it all yourself.

🚀 Up next: Permissions & Decorators — control who is allowed to do what with permissions and the @login_required decorator.

Practice quiz

• Browse all free courses
• Cheat sheets & quizzes
• Coding dictionary