Flask-Login Authentication — ELI5

When you enter an amusement park, you buy a ticket at the gate. The staff checks your ticket, then gives you a wristband. For the rest of the day, you just flash your wristband to ride any ride. You don’t buy a new ticket each time.

Flask-Login is the wristband system for your website. When someone logs in (shows their ticket — username and password), Flask-Login gives their browser a wristband (a session cookie). Every time they visit another page, the browser automatically shows the wristband. Flask-Login checks it and says “yep, that’s Alice, let her through.”

Without this system, users would have to type their password on every single page. Click on “My Profile”? Password. Click on “Settings”? Password again. That would be unbearable.

The wristband doesn’t have your password written on it — that would be dangerous if someone stole it. Instead, it has a code that links back to your account. Flask-Login uses this code to look up who you are from the database each time.

Some rides are restricted. “You must be this tall” at the amusement park becomes “you must be logged in” on a website. Flask-Login provides a simple way to mark pages as restricted: if you don’t have a wristband, you get sent back to the entrance (the login page).

When you leave the park, you can toss your wristband. That’s logging out — Flask-Login throws away the session so the code doesn’t work anymore.

The key takeaway: Flask-Login manages the cycle of proving who you are once (login), remembering you across pages (session), and forgetting you when you’re done (logout).