首先看middleware的定義：

auth模塊有兩個middleware：AuthenticationMiddleware和SessionAuthenticationMiddleware。

AuthenticationMiddleware負責向request添加user屬性

class AuthenticationMiddleware(object):  def process_request(self, request):    assert hasattr(request, 'session'), (      "The Django authentication middleware requires session middleware "      "to be installed. Edit your MIDDLEWARE_CLASSES setting to insert "      "'django.contrib.sessions.middleware.SessionMiddleware' before "      "'django.contrib.auth.middleware.AuthenticationMiddleware'."    )    request.user = SimpleLazyObject(lambda: get_user(request))

可以看見AuthenticationMiddleware首先檢查是否由session屬性，因為它需要session存儲用戶信息。

user屬性的添加，被延遲到了get_user()函數里。SimpleLazyObject是一種延遲的技術。

在來看SessionAuthenticationMiddleware的定義：

它負責session驗證

class SessionAuthenticationMiddleware(object):  """  Middleware for invalidating a user's sessions that don't correspond to the  user's current session authentication hash (generated based on the user's  password for AbstractUser).  """  def process_request(self, request):    user = request.user    if user and hasattr(user, 'get_session_auth_hash'):      session_hash = request.session.get(auth.HASH_SESSION_KEY)      session_hash_verified = session_hash and constant_time_compare(        session_hash,        user.get_session_auth_hash()      )      if not session_hash_verified:        auth.logout(request)

通過比較user的get_session_auth_hash方法，和session里面的auth.HASH_SESSION_KEY屬性，判斷用戶的session是否正確。

至于request里面的user對象，由有什么屬性，需要看看get_user()函數的定義。

def get_user(request):  if not hasattr(request, '_cached_user'):    request._cached_user = auth.get_user(request)  return request._cached_user

顯然get_user方法在request增加了_cached_user屬性，用來作為緩存。

因為用戶認證需要查詢數據庫，得到用戶的信息，所以減少開銷是有必要的。

注意，這種緩存只針對同一個request而言的，即在一個view中多次訪問request.user屬性。

每次http請求都是新的request。

再接著看auth.get_user()方法的定義，深入了解request.user這個對象：

def get_user(request):  """  Returns the user model instance associated with the given request session.  If no user is retrieved an instance of `AnonymousUser` is returned.  """  from .models import AnonymousUser  user = None  try:    user_id = request.session[SESSION_KEY]    backend_path = request.session[BACKEND_SESSION_KEY]  except KeyError:    pass  else:    if backend_path in settings.AUTHENTICATION_BACKENDS:      backend = load_backend(backend_path)      user = backend.get_user(user_id)  return user or AnonymousUser()