Authentication middleware helps check who a user is before they use parts of a website. It keeps the site safe by making sure only allowed users can see certain pages.
MIDDLEWARE = [
'django.contrib.sessions.middleware.SessionMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
# other middleware
]MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.middleware.common.CommonMiddleware',
]request.user.is_authenticated thanks to the middleware.from django.http import HttpResponse def my_view(request): if request.user.is_authenticated: return HttpResponse('Hello, ' + request.user.username) else: return HttpResponse('Please log in.')
This example shows how AuthenticationMiddleware works with the @login_required decorator to protect a view. If a user is not logged in, they will be redirected to the login page automatically.
from django.http import HttpResponse from django.contrib.auth.decorators import login_required @login_required def secret_page(request): return HttpResponse(f"Welcome, {request.user.username}! This is a secret page.") # settings.py snippet MIDDLEWARE = [ 'django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.middleware.common.CommonMiddleware', ] # This setup ensures only logged-in users can access secret_page view.
AuthenticationMiddleware depends on SessionMiddleware, so order matters.
It adds a user attribute to every request, which you can use in views and templates.
Use decorators like @login_required to easily protect views.
Authentication middleware checks who the user is on every request.
It must be added to the MIDDLEWARE list in settings.py after session middleware.
It makes user info available as request.user for your views.