mod_authentication

This module contains the main Zotonic authentication mechanism. It contains the logon and logoff controllers, and implements the various hooks as described in the Access control manual.

Configuration keys:

mod_authentication.password_min_length
The minimumum length of passwords. Defaults to 8, set this to an integer value.
mod_authentication.is_rememberme
Set this to 1 to check the remember me checkbox per default
mod_authentication.is_one_step_logon
Normally a two-step logon is used, first the username is requested, then the password is requested. In between the server checks the username and is able to show alternative authentication methods based on the username. Set this to 1 to show the username and password field at once, and disable the display of alternative authentication methods.
mod_authentication.is_signup_confirm
Set to 1 to force user confirmation of new accounts. This is useful when using 3rd party authentication services. If a new identity is found then a new account is automatically added. With this option set the user will be asked if they want to make a new account. This prevents duplicate accounts when using multiple authentication methods.
mod_authentication.reset_token_maxage
The maximum age of the emailed reset token in seconds. Defaults to 48 hours (172800 seconds). This must be an integer value.
mod_authentication.email_reminder_if_nomatch
On the password reset form, a user can enter their email address for receiving an email to reset their password. If a user enters an email address that is not connected to an active account then we do not send an email. If this option is set to 1 then an email is sent. This prevents the user waiting for an email, but enables sending emails to arbitrary addresses.
mod_authentication.auth_secret
The secret used to sign authentication cookies. This secret is automatically generated. Changing this secret will invalidate all authentication cookies.
mod_authentication.auth_anon_secret
The secret to sign authentication cookies for the anonymous user. This secret is automatically generated. Changing this secret will invalidate all authentication cookies for anonymous users.
mod_authentication.auth_user_secret
The secret to sign authentication cookies for the identified users if there is no database to store individual secrets.
mod_authentication.auth_autologon_secret
The secret to sign remember me cookies. This secret is automatically generated. Changing this secret will invalidate all remember me cookies for all users.

Related configurations:

site.password_force_different
Set to 1 to force a user picking a different password if they reset their password.
site.ip_allowlist
If the admin password is set to admin then logon is only allowed from local IP addresses. This configuration overrules the ip_allowlist global configuration and enables other IP addresses to login as admin if the password is set to admin.

Edit on GitHub

Models

m_authentication

Not yet documented.

Controllers

controller_authentication

This controller manages all authentication cookies. It is called by the auth model in the browser.

controller_logoff

Controller that logs off a user, destroying the session. It also removes any “remember me” cookies the user has, so…

controller_logon_done

This controller is used as a jumping stone after a log on from the /logon page. The p argument is passed from the…

Dispatch rules

dispatch

Dispatch rules Name Path Resource Args logoff [“logoff”] controller_logoff [] logon [“logon”] controller_template…

Validators

acceptable_password

A validator to check whether a password conforms to the password secutiry requirements.

See also

m_identity

The m_identity model manages usernames and other user identities. mod_authentication uses it to store and check salted…

Referred by

Customizing the sign up and sign in form

You want to change parts of the form, or change its appearance.

m_identity

The m_identity model manages usernames and other user identities. mod_authentication uses it to store and check salted…

All dispatch rules

All the dispatch rules from all modules. For a background on dispatch rules, see The URL dispatch system.