Absolutely little apps. But why do I need to run them all myself. There are plenty of options coming such as SXIP that will allow me to use someone elses application (running elsewhere) for login.
One of the good things about building your site(s) as a community of applications instead of a community of components in a framework, is that you've created a decoupled system where migration to and from these external services is not a painful or architecture-changing process.
until you want to run a report like
select u.id, count(*) from users u, forums f where u.id = f.user_id group by u.id
if your login app is separate from your forum app, you're kinda screwed at that point.
(But I guess if you're treating the database like a slightly brain-damaged object store, this isn't a problem since this sort of thing wouldn't occur to you. :)
Separating the login doesn't necessarily mean you cease to keep track of users for your web application, it merely means that the login/logout is handled outside. Single-Sign-on systems generally work in such a way. The user signs on, does some sort of authentication, then you get a token for that user which you store as their identifier in your user database. You still store user data necessary for your web application, the other system handles logging them on/off.
If you made your own WSGI login app, I'd do a similar thing. Once they login, setup a unique token in the environment for the web application, then inside the web application it will still have its own user database, etc.