The act of establishing a confirmed identity of our peer.

Authentication is done for every request that is processed by zotonic. Using cookies, this process is simplified by returning a session cookie along with the response to the client once authenticated. For subsequent requests, the request can be authenticated by the current session when the session cookie is sent along with the request.

Authenticating a request with a session cookie does not take place until a session is ensured (or continued) for the request context. This is commonly done by the controller handling the request by a call to z_context:ensure_all/1.

Requests that does not yet have a session cookie, or whose session cookie has expired, need to provide some credentials in order to be authenticated. The logon controller takes care of processing login requests and checks for the presence of a “remember me” cookie for automatic login.

Zotonic relies on a number of notifications to support and manage the authentication functionality. An overview of the notifications involved during authentication is given in the following table:

Notification Type Return Description
auth_confirm foldl Context Sent when a user id has been confirmed.
auth_confirm_done notify  
auth_logon foldl Context Sent when a user has been authenticated.
auth_logon_done notify  
auth_logoff foldl Context Sent when a user is about to log out, removing the authentication from the current session.
auth_logoff_done notify   Sent when a user has been logged out.
auth_autologon first {ok, UserId} Sent for new sessions from z_auth:logon_from_session/1. Will attempt to authenticate the session as UserId (if there was any observer responding to the notification).
#user_is_enabled{id} first boolean() Ask observers if the user is enabled (allowed to login, to be authenticated). If the result is undefined, the resource is_published, publication_start and publication_end is checked instead.

Previous topic

Access Control

Next topic