Flask User Login System Tutorial

It has taken us quite a bit, but here we are: the login page! If you have not already, then you should register a few users, and remember one of them to test our login page when we're done.

We already have the login template, which we can just keep, but now the verification process needs to verify against users in our database, rather than against the hard-coded admin user.

Part of __init__.py file
@app.route('/login/', methods=["GET","POST"])
def login_page():
    error = ''
        c, conn = connection()
        if request.method == "POST":

            data = c.execute("SELECT * FROM users WHERE username = (%s)",
            data = c.fetchone()[2]

            if sha256_crypt.verify(request.form['password'], data):
                session['logged_in'] = True
                session['username'] = request.form['username']

                flash("You are now logged in")
                return redirect(url_for("dashboard"))

                error = "Invalid credentials, try again."


        return render_template("login.html", error=error)

    except Exception as e:
        error = "Invalid credentials, try again."
        return render_template("login.html", error = error)  

Here, we're using the connection file we wrote to connect to the database (dbconnect.py), which has the function called connection.

We're doing the same check as before for the POST method. If so, we're then going to query the database to see if the username the person has input is in the database, not forgetting to use thwart to protect against SQL injection.

Next, if the username exists, we then compare the attempted username to the hashed password that we have on record, verifying whether or not the stored hash's source is the same as what the user tried as a password.

If so, then we're logging in the user via Flask's session functionality, then we're sending them to the dashboard, since they're all done with the login page.

If anything goes wrong, the error we give is just "Invalid credentials, try again." You can give custom errors, like that username doesn't exist, or wrong password, but someone attempting to hack your website or the username can use this to their advantage, knowing exactly where they have gone wrong.

The next tutorial:

  • Introduction to Practical Flask
  • Basic Flask Website tutorial
  • Flask with Bootstrap and Jinja Templating
  • Starting our Website home page with Flask Tutorial
  • Improving the Home Page Flask Tutorial
  • Finishing the Home Page Flask Tutorial
  • Dynamic User Dashboard Flask Tutorial
  • Content Management Beginnings Flask Tutorial
  • Error Handling with Flask Tutorial
  • Flask Flash function Tutorial
  • Users with Flask intro Tutorial
  • Handling POST and GET Requests with Flask Tutorial
  • Creating MySQL database and table Flask Tutorial
  • Connecting to MySQL database with MySQLdb Flask Tutorial
  • User Registration Form Flask Tutorial
  • Flask Registration Code Tutorial
  • Finishing User Registration Flask Tutorial
  • Password Hashing with Flask Tutorial
  • Flask User Login System Tutorial
  • Decorators - Login_Required pages Flask Tutorial
  • Dynamic user-based content Flask Tutorial
  • More on Content Management Flask Tutorial
  • Flask CMS Concluded Flask Tutorial
  • The Crontab Flask Tutorial
  • Flask SEO Tutorial
  • Flask Includes Tutorial
  • Jinja Templating Tutorial
  • Flask URL Converters Tutorial
  • Flask-Mail Tutorial for email with Flask
  • Return Files with Flask send_file Tutorial
  • Protected Directories with Flask Tutorial
  • jQuery with Flask Tutorial
  • Pygal SVG graphs with Flask Tutorial
  • PayPal with Flask Web Development Tutorial
  • Securing your Flask website with SSL for HTTPS using Lets Encrypt