Using sessions for implementing user authentication involves managing user

login, logout, and maintaining their state across requests. Django’s built-in au-
thentication system simplifies this process using session management under the
hood.
Here’s a step-by-step explanation of how to use sessions for user authentication
in Django:

1. Authentication Workflow with Sessions

1. Login: Validate the user’s credentials and store their information in the
session.
2. Session Maintenance: Django’s session framework keeps the user logged
in by storing session data, such as the user’s ID.
3. Logout: Clear the session to log the user out.
4. Access Control: Use session data to determine the user’s authentication
status and permissions.

2. Login Implementation
Django provides the authenticate() and login() methods to handle user
authentication and session creation.

View for Login

from django.contrib.auth import authenticate, login
from django.shortcuts import render, redirect
from django.http import JsonResponse

def login_view(request):
if request.method == 'POST':
username = request.POST.get('username')
password = request.POST.get('password')

# Authenticate the user

user = authenticate(request, username=username, password=password)
if user is not None:
# Log the user in and create a session
login(request, user)
return JsonResponse({'message': 'Login successful'})
else:
return JsonResponse({'error': 'Invalid credentials'}, status=400)

return render(request, 'login.html')

1
HTML Template
<form method="post">
{% csrf_token %}
<input type="text" name="username" placeholder="Username">
<input type="password" name="password" placeholder="Password">
<button type="submit">Login</button>
</form>

3. Storing User Data in Session

When a user logs in using login(request, user), Django automatically stores
the user’s ID in the session. You can also store additional custom data in the
session.

Adding Custom Data to Session

def custom_login_view(request):
if request.method == 'POST':
username = request.POST.get('username')
password = request.POST.get('password')

user = authenticate(request, username=username, password=password)

if user:
login(request, user)

# Add custom data to session

request.session['user_role'] = 'admin' if user.is_staff else 'user'
request.session['last_login_time'] = str(user.last_login)

return JsonResponse({'message': 'Login successful'})

return JsonResponse({'error': 'Invalid credentials'}, status=400)

4. Logout Implementation
To log out a user and clear the session, use Django’s logout() method.

View for Logout

from django.contrib.auth import logout
from django.shortcuts import redirect

def logout_view(request):
logout(request) # Clears the session
return redirect('login')

2
5. Checking Authentication Status
To verify if a user is authenticated, use request.user.is_authenticated.

Example
from django.http import JsonResponse

def profile_view(request):
if request.user.is_authenticated:
return JsonResponse({
'username': request.user.username,
'email': request.user.email,
'role': request.session.get('user_role', 'user')
})
else:
return JsonResponse({'error': 'User not logged in'}, status=401)

6. Protecting Views with Authentication

Django provides the @login_required decorator to restrict access to views for
authenticated users only.

Example
from django.contrib.auth.decorators import login_required

@login_required
def dashboard(request):
return render(request, 'dashboard.html')

Custom Login URL Set a custom login URL in settings.py:

LOGIN_URL = '/login/'

7. Session Expiry for Authentication

Set Session Expiry You can configure session expiration for authenticated
users: 1. Short-lived Sessions: python request.session.set_expiry(300)
# Session expires in 300 seconds (5 minutes) 2. Persistent Sessions:
By default, sessions persist until the browser is closed. To enable persis-
tent sessions, set: python SESSION_EXPIRE_AT_BROWSER_CLOSE = False
SESSION_COOKIE_AGE = 3600 # 1 hour in seconds

3
Clearing Sessions Manually You can clear session data when logging out:
from django.contrib.sessions.models import Session

def clear_all_sessions(user):
sessions = Session.objects.filter(session_key=user.session_key)
sessions.delete()

8. Access Control Using Sessions

Role-Based Access Store the user’s role in the session during login and use
it for access control:
from django.http import HttpResponseForbidden

def admin_view(request):
if request.session.get('user_role') != 'admin':
return HttpResponseForbidden('Access denied')
return JsonResponse({'message': 'Welcome, Admin!'})

Tracking User Activity Track the user’s last activity time using sessions:
from datetime import datetime

def track_user_activity(request):
request.session['last_activity'] = str(datetime.now())

9. Custom Use Case: Remember Me Functionality

View for Login with “Remember Me”
def login_with_remember_me(request):
if request.method == 'POST':
username = request.POST.get('username')
password = request.POST.get('password')
remember_me = request.POST.get('remember_me', False)

user = authenticate(request, username=username, password=password)

if user:
login(request, user)

# Set session expiry based on "Remember Me" option

if not remember_me:
request.session.set_expiry(0) # Session expires on browser close
else:

4
 request.session.set_expiry(1209600) # 2 weeks

return JsonResponse({'message': 'Login successful'})

return JsonResponse({'error': 'Invalid credentials'}, status=400)

HTML Template
<form method="post">
{% csrf_token %}
<input type="text" name="username" placeholder="Username">
<input type="password" name="password" placeholder="Password">
<label>
<input type="checkbox" name="remember_me"> Remember Me
</label>
<button type="submit">Login</button>
</form>