Authentication using REMOTE_USER

    When the Web server takes care of authentication it typically sets the REMOTE_USER environment variable for use in the underlying application. In Django, REMOTE_USER is made available in the attribute. Django can be configured to make use of the REMOTE_USER value using the RemoteUserMiddleware or PersistentRemoteUserMiddleware, and RemoteUserBackend classes found in .

    First, you must add the django.contrib.auth.middleware.RemoteUserMiddleware to the setting after the django.contrib.auth.middleware.AuthenticationMiddleware:

    Next, you must replace the with RemoteUserBackend in the setting:

    With this setup, will detect the username in request.META['REMOTE_USER'] and will authenticate and auto-login that user using the RemoteUserBackend.

    Django’s user management, such as the views in contrib.admin and the management command, doesn’t integrate with remote users. These interfaces work with users stored in the database regardless of AUTHENTICATION_BACKENDS.

    Note

    Since the RemoteUserBackend inherits from ModelBackend, you will still have all of the same permissions checking that is implemented in ModelBackend.

    Users with is_active=False won’t be allowed to authenticate. Use if you want to allow them to.

    Warning

    Be very careful if using a RemoteUserMiddleware subclass with a custom HTTP header. You must be sure that your front-end web server always sets or strips that header based on the appropriate authentication checks, never permitting an end-user to submit a fake (or “spoofed”) header value. Since the HTTP headers X-Auth-User and X-Auth_User (for example) both normalize to the HTTP_X_AUTH_USER key in request.META, you must also check that your web server doesn’t allow a spoofed header using underscores in place of dashes.

    This warning doesn’t apply to RemoteUserMiddleware in its default configuration with header = 'REMOTE_USER', since a key that doesn’t start with HTTP_ in request.META can only be set by your WSGI server, not directly from an HTTP request header.

    If you need more control, you can create your own authentication backend that inherits from RemoteUserBackend and override one or more of its attributes and methods.

    Using REMOTE_USER on login pages only

    provides support for this use case. It will maintain the authenticated session until explicit logout by the user. The class can be used as a drop-in replacement of in the documentation above.