auth doesn't allow direct use of login() (without prior authenticate call)

[Rhett Garber]

It would appear that I cannot call login without calling authenticate() because the 'backend' member variable does not exist until you call authenticate.
This seems rather unfriendly at least, but also limiting for no good reason. What if I want to handle authentication myself?

I'm not sure if this is the only place that matters:

django.contrib.auth.__init__ line 53:

request.session[BACKEND_SESSION_KEY] = user.backend

My usage of this is a signup page. I create the user, and I just want to directly log them in my calling login(request, user) on my newly created user object. I would rather not have an extra authenticate() call.

[Malcolm Tredinnick]

This is not a good idea. The login() method is designed to make the current authorisation token persistent. It assumes the user has already been authorised by passing an authentication phase. That is one reason why we also record which backend they authenticated against, so that we can interact with it later if needs be.

If you want to handle the authentication yourself, then writing your own authentication backend is the solution. If you want to log them in immediately after creating the account, you will have the password and username (if that's what your auth backend needs) at that point and can call authenticate() correctly. But marking a users as logged in without having authenticated them via one of the approved backends with the required credentials would be a security hole (it would let apps work around a site's configured security settings, for example).