Global navigation

   Documentation Center
   eZ Studio & eZ Platform
     User Manual
     Technical Manual
   eZ Publish 4.x / legacy

eZ Publish (5.x)

eZ Publish 5.x | For eZ Platform & eZ Studio topics see Technical manual and User manual, for eZ Publish 4.x and Legacy topics see eZ Publish legacy

Skip to end of metadata
Go to start of metadata

Since 5.0, two authentication methods are supported: session, and basic.

Session based authentication is meant to be used for AJAX operations. It will let you re-use the visitor's session to execute operations with their permissions.

Basic authentication is often used when writing cross-server procedures, when one remote application executes operations on one/several eZ Publish instances (remote publishing, maintenance, etc).

The default authentication method in 5.x is Basic authentication. As of release 2015.01, Session has been changed to be default.

Session based authentication

This authentication method requires a Session cookie to be sent with each request.

If this authentication method is used with a web browser, this session cookie is automatically available as soon as your visitor logs in. Add it as a cookie to your REST requests, and the user will be authenticated.

Setting it up

Not needed as of 2015.01 release as default is now Session.

To enable session based authentication, you need to edit ezpublish/config/security.yml, and comment out / remove the configuration block about Basic Auth (shown in the following section).


As of 5.3 / 2014.04, you also need to add the following configuration in your ezpublish/config/security.yml:


Logging in

It is also possible to create a session for the visitor if he isn't logged in yet. This is done by sending a POST request to /user/sessions. Logging out is done using a DELETE request on the same resource.

HTTP Basic authentication

To enable HTTP Basic authentication, you need to edit ezpublish/config/security.yml, and add/uncomment the following block. Note that this is enabled by default.


Basic authentication requires the username and password to be sent (username:password), based 64 encoded, with each request, as explained in RFC 2617.

Most HTTP client libraries as well as REST libraries do support this method one way or another.

Raw HTTP request with basic authentication

1 Comment

  1. A note for people playing around with using the Symfony firewall(s) with different access rules for different pats of APIs: if you use "ezpublish" as autehnticator for a new firewall you define for a part of the site, you will get symfony exceptions unless you reste the check_path and login_path variables, eg:

                pattern: ^/api/xxx_rest_session/v1