Access control is about defining who is allowed to access certain resources. It takes two steps:
- The user is authenticated, that is, the user’s identity is determined based on some form of identification in the request, such as a session cookie.
- After the user has been identified, we can decide whether that user is authorized to access a certain URL or resource.
For each HTTP request that Zotonic receives, it looks for some form of credentials that can identity the user. This can be a username/password combination when the user logs in for the first time, and a session cookie for subsequent requests. When Zotonic finds some credentials, it checks them for validity. If the credentials are valid, the user is said to be authenticated and authorization can start.
The first request, that does not yet have a session cookie or whose session cookie has expired, needs to contain some credentials in order to be authenticated. The logon controller takes care of processing login requests and checks for the presence of a ‘remember me’ cookie for automatic login. It then responds with a fresh session cookie that the client will send along with subsequent requests.
Authenticating subsequent requests, that have a session cookie, does not take
place until a session is ensured (or continued) for the request context.
This is commonly done by the controller handling the request by a call