Authentication & Login

Authentication is the process of verifying who a user is — confirming a person owns the account they claim — so your app can show private pages, save their data, and keep everyone else out.

Learn Authentication & Login in our free Flask course — a beginner-friendly interactive lesson with worked examples, a practice exercise and a quick reference.

Part of the free Flask course at LearnCodingFast — hands-on lessons with examples you run in your browser, plus practice exercises and a quick quiz.

In this lesson you'll hash passwords securely with Werkzeug, manage user sessions with Flask-Login, and protect routes so only signed-in users can reach them.

A password hash is a one-way scrambled version of a password. You can check whether a guess matches the hash, but you can never turn the hash back into the original password.

Werkzeug — the library Flask is built on — ships two helpers for this. Use generate_password_hash when a user registers, and check_password_hash when they log in. Never store the raw password.

Flask-Login tracks which user is signed in across requests. You create a LoginManager , mix UserMixin into your model, and tell Flask-Login how to load a user from their stored ID.

With the model in place you can write the three core routes. login_user starts a session, logout_user ends it, and @login_required guards any page that needs a signed-in visitor.

Inside any template or view you can use current_user to read the logged-in user, or check current_user.is_authenticated to show different content to guests and members.

Complete the login route below. Replace each ___ so it verifies the password and starts a session.

❌ RuntimeError: Missing user_loader or request_loader

You forgot to register a @login_manager.user_loader function. Flask-Login needs it to reload the user from the session on every request.

Set app.config["SECRET_KEY"] to a long random string. Without it, Flask cannot sign the session cookie and login will fail.

Add a protected profile page that greets the logged-in user by name.

Lesson 18 complete — your app can sign users in!

You can now hash passwords with Werkzeug, manage sessions with Flask-Login, and lock pages behind @login_required . That is the foundation of every account-based web app.

🚀 Up next: App Factory & Config — learn to structure larger apps with a create_app() factory and configuration classes.

Practice quiz

Which Werkzeug function creates a password hash when a user registers?

  • generate_password_hash
  • hashlib.md5
  • encrypt_password
  • make_hash

Answer: generate_password_hash. generate_password_hash creates an irreversible hash on registration.

Which function verifies a password guess at login?

  • verify_hash
  • check_password_hash
  • compare_password
  • match_hash

Answer: check_password_hash. check_password_hash(hash, guess) verifies the guess against the stored hash.

Why hash passwords instead of storing them plain?

  • It saves storage space
  • It speeds up login
  • If the database leaks, hashes can't be reversed
  • Flask requires it

Answer: If the database leaks, hashes can't be reversed. Hashing is irreversible, so a leaked database does not expose passwords.

What does the @login_required decorator do?

  • Hashes the password
  • Logs all requests
  • Creates a session cookie
  • Blocks the route unless a user is logged in

Answer: Blocks the route unless a user is logged in. @login_required blocks access and redirects anonymous visitors to the login page.

Which function starts a user session in Flask-Login?

  • login_user(user)
  • start_session(user)
  • authenticate(user)
  • session.login(user)

Answer: login_user(user). login_user(user) starts the session.

Which class adds default methods like is_authenticated to your model?

  • LoginManager
  • UserMixin
  • AnonymousUser
  • BaseModel

Answer: UserMixin. UserMixin adds is_authenticated, is_active, get_id, and more.

Why must SECRET_KEY be set for Flask-Login?

  • To hash passwords
  • To name the app
  • To sign the session cookie so it can be trusted
  • To enable debug mode

Answer: To sign the session cookie so it can be trusted. Flask-Login needs SECRET_KEY to sign the session cookie.

What does @login_manager.user_loader register?

  • A logout handler
  • A password hasher
  • A route guard
  • A function to reload the user from the session

Answer: A function to reload the user from the session. user_loader reloads the user from their stored id on each request.

How do you read the currently signed-in user in a view?

  • current_user
  • session.user
  • g.login
  • request.user

Answer: current_user. current_user gives the logged-in user (or an anonymous user).

Which function ends a user's session?

  • session.clear()
  • logout_user()
  • end_login()
  • current_user.logout()

Answer: logout_user(). logout_user() ends the session.