# Authentication

* Authentication is the process of verifying the identity of a user. However HTTP is a **stateless protocol** - client state is not preserved on the server. 

* Any client state that we wish to preserve must be _stored in the client_ and sent along with subsequent requests 

* Web applications typically implement this via **HTTP cookies** - small packets of information that are sent to the client with the response and then sent back to the server along with subsequent requests to the same host.

You can see these cookies by inspecting the HTTP headers for a request. You can also inspect the cookies stored by your browser at any time.

# The Django User model and Authentication System

Django provides a user friendly API for managing the authentication process. This is based around the class `django.contrib.auth.User` which automatically handles all the cookie management and provides easy hooks for authentication. 

There are various standard views in a typical authentication system - login, logout, password reset, etc. We could implement them from scratch but Django provides well designed and easy-to-use implementations out of the box.

Authentication is typically a project wide process, so usually the urls are defined at the project level rather than in a particular app. See the demo app for a system example of this in action.

As usual the Django Docs are excellent - https://docs.djangoproject.com/en/2.1/topics/auth/default/

## The login_required decorator

A big advantage of using the Django auth system is that it is trivialy easy to restrict access to certain viewed to logged in users only. Recall that a decorator is a callable that is used to modify a function or method (essentially it is a function that takes a function/method as a argument and returns a function/method)

`views.py`
```python 
from django.contrib.auth.decorators import login_required

@login_required
def member_update(request,member_id):
    ...
```
