I'm doing a very rich UI with authentication, but it's all custom. In my experience, while the *concept* of registration/user management/authentication is standard, the *implementation* always has some nuances. I suspect that's why there isn't a cookie-cutter authentication scheme out there. (Not to mention if there was one, and everyone loved it and used it, it would be far less secure.)
I do the basics from the docs page here: http://webpy.org/docs/0.3/sessions
I then extended that with my specific database stuff for logging in, checking password, etc.
For ensuring a user remains authenticated, I put the user_id in the session. I use an auth handler that fires on every request - and throws you back to the login page if your cookie ever goes away. (/bypass is an example of a url that *is* allowed, even without an authenticated session. Be aware, it appears /static is exempt by default, so don't put anything secret in there.)
path = web.ctx.path
if path == "/bypass":
if path != "/login" and not session.get('user', False):
raise web.seeother('/login?msg=' + urllib.quote_plus("Session expired."))
Just banged this out while eating lunch. Hope it helps.