[eluser]pickupman[/eluser]
I would say it is common practice to need both. You will need a auth model to query to DB for user credentials. Typically you will find it the easiest to have some sort of auth controller, to allow users to login/logout/update profile. By having one point of entry to login it will be easier to maintain. You may end up extending your application that may require login as well.