Django comes with a built-in authentication framework that can handle user authentication, sessions, permissions, and user groups. The authentication system includes views for common user actions such as login, logout, password change, and password reset.

The authentication framework is located at django.contrib.auth and is used by other Django contrib packages. Remember that you have already used the authentication framework in Chapter 1, Building a Blog Application, to create a superuser for your blog application to access the administration site.

When you create a new Django project using the startproject command, the authentication framework is included in the default settings of your project. It consists of the django.contrib.auth application and the following two middleware classes found in the MIDDLEWARE setting of your project:

• AuthenticationMiddleware: Associates users with requests using sessions
• SessionMiddleware: Handles the current session across requests

A middleware is a class with methods that are globally executed during the request or response phase. You will use middleware classes on several occasions throughout this book, and you will learn to create custom middleware in Chapter 13, Going Live.

The authentication framework also includes the following models:

• User: A user model with basic fields; the main fields of this model are username, password, email, first_name, last_name, and is_active
• Group: A group model to categorize users
• Permission: Flags for users or groups to perform certain actions

The framework also includes default authentication views and forms that we will use later.