I've spent the last few days converting Surftrackr to a multi-user application. This decision was based on user feedback, although it had occurred to me it might be a good idea. But I didn't want to get into it right from the start of the project, since I'd rather make Surftrackr work flawlessly for one user before adapting it for multiple users. Down the other road lies madness.
Rather than using Django's form-based authentication, Surftrackr authentication will rely on setting up your Apache to authenticate users. This has the tremendous benefit of immediate integration with (for example) LDAP or a MySQL user-database against which your Apache authenticates. LDAP also means you can authenticate against Windows Domain Controllers, since they support LDAP and Apache can just plug into it. Just to keep things simple, however, you can disable Surftrackr authentication and use it as you do at the moment, just as a single-user app.
Django has, as usual, made this an easy target rather than something which would make me edgy, hostile and uncooperative. Doing this without Django's flexible user authentication scheme and easy-to-change database queries would have been a much longer and more frustrating task. Looks like the Django devs got it exactly right again.
A couple more days testing and some documentation about how to manage authentication, and I hope to have this uploaded and ready by the end of the week. Check back soon :)