Where should the authentication functionality for my website reside?

Question

I'm making a workout calendar app where a person can register a user and start logging his workouts in a calendar.

This is how the project is structured right now. Inside of workoutcal/urls.py, I've defined, among others, the following urls:

url(r'^login/$', views.login, name='login'),
url(r'^register/$', views.UserFormView.as_view(), name='register')

The views that handle the requests reside in workoutcal/views.py. My question is if this is the right way to do it. I'm a little bit confused about what an "app" in django (such as the workoutcal app) encapsulates. I think I want user to log in to the whole functionality of my website, and if that is the case, shouldn't the login urls reside in workout/urls.py?

Answer 1

The specifics of where exactly authentication should be are not carved in stone (as every project is differently structured), but as a general rule it should look like this

• client sends login information to server
• server checks if login info is correct, then if it is, sends back a key unique to that login session/user (former is more secure)
• when client wants to access data only available to that user, it sends a request to server along with the key received upon login

If your method matches this pattern, and communication with the server is encrypted, the chances are it's good enough.