If you want to add user login capability to your website (that is, authentication and authorization) use an existing framework. Unless you’re an expert in security, the probability of writing secure a system is close to 0. This applies regardless of the language you program in and regardless of the framework you are using.

Unfortunately, I have seen people answer this question as follows: “This is not that hard, and fun to code, as a beginner. You need a place to store your data (let’s say a mysql database). You should store ENCRYPTED versions of the passwords, etc. etc.” This answer is COMPLETELY INCORRECT.

There are free authentication frameworks available, USE THEM. For example, Django and web2py have built-in authentication systems. Many frameworks do not come with built-in authentication (e.g. Flask, webpy); this does not mean you should roll out your own framework. It just means you should find 3rd party authentication software. For Flask, there is Flask-login.

So, the answer to my original questions are:

1.) Yes, or integrate a verified 3rd-party software system.

2.) Yes, the best practices says DO NOT WRITE YOUR OWN AUTHENTICATION SYSTEM. Use one that’s already been built.

3.) You shouldn’t need a guide to building an authentication system, because you shouldn’t be building one. However, OWASP is a great security resource.

Here’s a brief summary:
Do not write your own authentication system. Use a pre-built authentication system that is trusted. If anyone has any recommendations for authentication systems that can be used with Python, feel free to post them.