On this article, we’ll take a look at the assorted options that Flask-Login affords and the way to use them to create a safe person login performance to your internet utility. By the tip of this text, you’ll have a great understanding of the way to use Flask-Login to implement safe person authentication in your Flask functions.

Authentication is a vital a part of any internet utility that permits customers to entry information or assets because it ensures that solely the fitting individuals get entry to delicate info. This may also be achieved in Flask utilizing Flask-Login.

Flask-Login is an extension in Flask with features that deal with the logging in and logging out of customers and preserve observe of the present person(s) all through the appliance. This makes it straightforward to implement authentication and authorization in your Flask functions.

Desk of Contents

Why Use Flask-Login?

Flask-Login has quite a lot of options and features that make it straightforward to seamlessly carry out authentication in Flask functions. Listed below are among the advantages of utilizing Flask-Login:

  • Person session administration. Flask-Login handles the creation and destruction of person periods. It will possibly additionally retailer the present person’s ID within the session so that you could simply examine if a person is logged in.

  • Login and logout performance. Flask-Login gives built-in login and logout features. These features handle all of the essential processes, comparable to creating and destroying periods and redirecting the person to the suitable web page.

  • Person loader callback. Flask-Login permits you to outline a person loader callback. This callback is used to load the person object for the present session. That is helpful for those who’re utilizing a database to retailer person info.

  • Authentication and authorization. Flask-Login makes it straightforward to implement authentication and authorization in your functions. You should use Flask-Login to guard particular pages or routes and to grant customers completely different ranges of entry to your utility.


To observe lengthy with this text, you want the next:

  • a data of Python and Flask syntax
  • a primary data of HTML and CSS
  • Python model 3 and Flask put in

Clearly you additionally want entry to an internet browser.

Getting Began

To totally make use of the Flask login module, we have to have Flask-Login and different needed dependencies put in. These libraries present the mandatory features and instruments wanted to enhance the performance of your app. To put in them, open your command immediate or terminal and execute the next pip command:

pip set up flask-login flask_sqlalchemy flask_bcrypt

Right here’s a breakdown of what every of those libraries is used for:

  • Flask-SQLAlchemy: integrates SQLAlchemy with Flask for database operations
  • Flask-Bcrypt: provides Bcrypt hashing for password safety in Flask

As soon as the set up is accomplished, it should robotically have the Flask login downloaded within the listing you used.

Observe: on the time of writing, there’s a slight difficulty in resolving the dependencies within the newest model of Flask and Werkzeug. To resolve this, it’s important to drive set up model 2.3.0 of Werkzeug, because it’s the one recognized model working proper now.

As soon as your dependencies have been put in, you’ll have to initialize them along with your Flask app:

from flask_sqlalchemy import SQLAlchemy

from flask_login import UserMixin, LoginManager, login_user, logout_user, login_required

from flask_bcrypt import Bcrypt

from flask_login import LoginManager
 app = Flask(__name__)

login_manager = LoginManager()


Within the code snippet above, we’ve additionally initialized the LoginManager object in our utility. LoginManager is an extension of Flask-Login that’s used to arrange the mandatory configurations for dealing with person periods.

Making a Person Mannequin

A mannequin is a illustration of the info construction you need to use in your utility. It defines how information is organized, saved, and manipulated throughout the system. Fashions are normally used with a database that follows the construction outlined beforehand. For our app, we now have the next information:

  • a singular ID
  • a username
  • a password (hashed)
class Person(UserMixin):

id = db.Column(db.Integer, primary_key=True)
username = db.Column(db.String(64), distinctive=True)
password_hash = db.Column(db.String(128))

def __repr__(self):
  return f'<Person {self.username}>'

You too can add further properties to your person mannequin, comparable to an e-mail handle or profile image, relying on the scope of your undertaking.

Making a Database

When you’ve outlined your person mannequin, it’s worthwhile to create a database that may retailer the info construction we created within the earlier mannequin.

For this text, we’ll be utilizing an SQLite database. It’s because SQLite is a light-weight and serverless database engine. This makes it straightforward to arrange and use, because it doesn’t require a separate set up. It’s additionally a good selection for small- to medium-sized functions.

Right here’s a breakdown of the steps for utilizing an SQLite database in our utility:

  1. To utilize the SQLite database, it’s important to set a URI in your Flask app configuration. That is normally executed on the high, alongside different configurations. Right here’s a snippet you should use:

    app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///website.db' 

    On this snippet, the ///... signifies the relative path to your file — website.db — which is the title we used for our SQLite database file. This title may be modified to something you favor.

  2. Subsequent, it’s important to initialize the Flask-SQLAlchemy ORM utilizing this snippet:

    SQLAlchemy is an object-relational mapper that gives a set of instruments for working with databases utilizing Python. The road db = SQLAlchemy(app) creates an occasion of the SQLAlchemy class and binds it to your Flask utility (app).

  3. To create this database, we now have to initialize the database, utilizing the create_all methodology:

    if __name__ == '__main__':

    This code is often positioned on the finish of your Python script or in a separate script devoted to initializing the database. When you run your script, the database file will likely be created with corresponding tables based mostly on the fashions we outlined beforehand.

    On this case, the code will create a website.db file with a Person desk if it doesn’t exist already. The website.db file normally is available in a folder known as /occasion/.

Subsequent, we have to create a user_loader that takes a person ID and returns the corresponding Person object. Right here’s an instance:

def load_user(user_id):
  return Person.question.get(user_id)

Password Hashing

Password hashing is a safety measure that shops the cryptographic illustration of the person’s password earlier than it’s saved in a database. This manner, it turns into tougher to get the precise password even when the safety of the appliance has been compromised.

Often, the password is first hashed within the registration course of and saved in a database. Then, every time a person logs in, their password is hashed once more and in comparison with the hashed password saved within the database. If the 2 passwords match, the person is authenticated and given entry to the appliance.

Tips on how to hash and confirm passwords utilizing Flask-Bcrypt

Flask has an extension known as Flask-Bcrypt that helps to attain this performance. It has two main features: generate_password_hash() and check_password_hash().

Thegenerate_password_hash() operate takes the person’s password as an argument and returns a hashed password. That is normally used within the registration logic.

The check_password_hash() operate takes a password and a hashed password as arguments and returns true if the 2 passwords match, or false in the event that they don’t match. That is known as earlier than granting entry to the login view

Making a Register View

Views are part of the Flask framework used to generate HTML, JSON, or different information that’s despatched to the person’s browser. On this code snippet, we’re going to create a view that accepts the person’s enter and provides the small print to the database:

@app.route('/register', strategies=['GET', 'POST'])

def  register():

if request.methodology == 'POST':
  username = request.kind['username']
  password = request.kind['password']
  hashed_password = bcrypt.generate_password_hash(password).decode('utf-8')

  new_user = Person(username=username,password=hashed_password) 
    return redirect(url_for('welcome '))
  return render_template('registeration.html')

Right here’s a breakdown of the code:

  • Within the first line, we outline a route for the URL path /login. This route accepts each GET and POST requests. The login() operate, which is related to the route, will likely be executed when a request is made.

  • Subsequent, we verify if the request methodology is a POST methodology:

    if request.methodology == 'POST':

    As soon as it’s confirmed, the operate retrieves the values entered by the person within the login kind:

    username = request.kind['username']
    password = request.kind['password']
  • It then queries the database for a person with the supplied username. If a person with the supplied username is discovered and the password matches, the code inside this block will likely be executed.

Making a Login View

Within the login view, we create a logic that accepts enter from a web page after which checks if the enter matches any row within the database:

@app.route('/login', strategies=['GET', 'POST'])

def  login():
  if request.methodology == 'POST':
    username = request.kind['username']
    password = request.kind['password']
    person = Person.question.filter_by(username=username).first()

    if person and bcrypt.check_password_hash(person.password, password):
      return redirect(url_for('welcome'))
  return render_template('login.html')

Right here’s a breakdown of how the code works:

  • Within the first line — @app.route('/login', strategies=['GET', 'POST']): — we’re making use of a decorator that defines a route for the URL path /login. The route accepts each GET and POST requests. The related operate, login(), will likely be executed when a request is made to this route.

  • The login() operate begins by checking if the request methodology is POST:

    if request.methodology == 'POST':

    As soon as, it’s confirmed that it’s a POST request, it retrieves the values entered by the person within the login kind:

    username = request.kind['username']
    password = request.kind['password']
  • It then queries the database for a person with the supplied username:

    person = Person.question.filter_by(username=username).first()
    if person and bcrypt.check_password_hash(person.password, password):  
  • If each the username and the password are validated, the person is granted entry utilizing Flask-Login’s login_user and redirect features:

  • Nevertheless, if the request methodology isn’t POST or the small print are incorrect, it renders the login.html template:

    return render_template('login.html')

    In essence, it checks if the entered credentials are legitimate, logs the person in, and redirects them to the welcome web page if profitable. If the login is unsuccessful or it’s a GET request, it renders the login template for the person to enter their credentials.

Creating Logout Logic Utilizing a Protected View

In most functions, some pages are inaccessible if the person isn’t logged in. This consists of pages like transaction historical past, drafts, and logout pages. Flask-Login gives a handy technique to defend these pages/routes and limit entry to authenticated customers utilizing the login_required decorator. Right here’s a breakdown of the way it works.

To utilize this performance, it’s important to import the login_required decorator from Flask-Login:

from flask_login import login_required

Subsequent, it’s important to add the login_required decorator to any route that you just need to defend. As an illustration, let’s create a logout web page that may solely be accessed when the person is logged in:

  def  logout():
    return redirect(url_for('login'))

Right here’s a breakdown of the way it works:

  • Similar to within the login view, @app.route('/logout') defines a route for the URL path /logout.

  • Subsequent, we add a login_required decorator that ensures that the person should be logged in to entry the logout route. If a person isn’t logged in and tries to entry this route, they’ll be redirected to the login web page.

  • Contained in the logout operate, logout_user() is named. This operate is supplied by Flask-Login and is used to log the present person out.

  • After logging out the person, the operate redirects them to the login route utilizing redirect(url_for('login')).

So, when a person accesses the /logout route, Flask-Login ensures they’re logged in (@login_required), logs them out, and redirects them to the login web page. This helps to securely deal with person logout in your Flask utility. The login_required decorator is utilized to the /protected route, indicating that solely authenticated customers can entry it. And if a person tries to entry a protected web page with out being logged in, Flask-Login will redirect them to the login web page.

Including Templates

Templates in Flask will let you make use of HTML pages to outline how your website will look. To totally implement the logic in our app.py file, we’re going to create the HTML pages pictured beneath.

Our app's file structure

The animation beneath exhibits how the templates render the completely different pages of our website.

You’ll be able to see the complete code for this tutorial and be taught extra about its implementation on this article’s GitHub repository.

How Flask-Login Manages Person Classes with Person Session Cookies

A person session is a system used to trace and replace person info whereas the person is logged in. Flask-Login manages these periods by storing a session cookie on the person’s browser. The session cookie is a small piece of knowledge that incorporates a singular identifier for the person’s session.

When a person logs in to a web site utilizing Flask-Login, the server generates a session cookie and sends it to the person’s browser. The browser shops the session cookie and consists of it in all requests to the server. The server makes use of the session cookie to determine the person and their session state.

For instance, if the person is logged in and visits a web page protected by Flask-Login, Flask-Login will examine the session cookie to see if the person is authenticated. If the person is authenticated, Flask-Login will load the person’s profile info from the database and make it accessible to the view. If the person isn’t authenticated, Flask-Login will redirect the person to the login web page.

When the person logs out of the web site, the server deletes the session cookie from the person’s browser, which terminates the person session.


Flask affords quite a lot of features that handle completely different facets of authentication, starting from person session administration to authorization. By making use of those features, you possibly can implement a sturdy and safe authentication system tailor-made to the particular wants of your utility.