silverstripe-framework/docs/en/02_Developer_Guides/09_Security/03_Authentication.md

title: Authentication
summary: Explains SilverStripe's Authentication options and custom authenticators. 

# Authentication

By default, SilverStripe provides a [MemberAuthenticator](api:SilverStripe\Security\MemberAuthenticator\MemberAuthenticator) class which hooks into its own internal
authentication system.

The main login system uses these controllers to handle the various security requests:

[Security](api:SilverStripe\Security\Security) - Which is the controller which handles most front-end security requests, including logging in, logging out, resetting password, or changing password. This class also provides an interface to allow configured [Authenticator](api:SilverStripe\Security\Authenticator) classes to each display a custom login form.	

[CMSSecurity](api:SilverStripe\Security\CMSSecurity) - Which is the controller which handles security requests within the CMS, and allows users to re-login without leaving the CMS.

## Member Authentication

The default member authentication system is implemented in the following classes:

[MemberAuthenticator](api:SilverStripe\Security\MemberAuthenticator) - Which is the default member authentication implementation. This uses the email and password stored internally for each member to authenticate them.	

[MemberLoginForm](api:SilverStripe\Security\MemberAuthenticator\MemberLoginForm) - Is the default form used by `MemberAuthenticator`, and is displayed on the public site at the url `Security/login` by default.

[CMSMemberLoginForm](api:SilverStripe\Security\MemberAuthenticator\CMSMemberLoginForm) - Is the secondary form used by `MemberAuthenticator`, and will be displayed to the	user within the CMS any time their session expires or they are logged out via an action. This form is	presented via a popup dialog, and can be used to re-authenticate that user automatically without them having	to lose their workspace. E.g. if editing a form, the user can login and continue to publish their content.

## Custom Authentication

Additional authentication methods (oauth, etc) can be implemented by creating custom implementations of each of the
following base classes:

[Authenticator](api:SilverStripe\Security\Authenticator) - The base class for authentication systems. This class also acts as the factory to generate various login forms for parts of the system. If an authenticator supports in-cms	reauthentication then it will be necessary to override the `supports_cms` and `get_cms_login_form` methods.

[LoginForm](api:SilverStripe\Security\LoginForm) - which is the base class for a login form which links to a specific authenticator. At the very least, it will be necessary to implement a form class which provides a default login interface. If in-cms re-authentication is desired, then a specialised subclass of this method may be necessary. For example, this form could be extended to require confirmation of username as well as password.

## Default Admin

When a new SilverStripe site is created for the first time, it may be necessary to create a default admin to provide
CMS access for the first time. SilverStripe provides a default admin configuration system, which allows a username
and password to be configured for a single special user outside of the normal membership system.

It is advisable to configure this user in your `.env` file inside of the web root, as below:

	# Configure a default username and password to access the CMS on all sites in this environment.
	SS_DEFAULT_ADMIN_USERNAME="admin"
	SS_DEFAULT_ADMIN_PASSWORD="password"

When a user logs in with these credentials, then a [Member](api:SilverStripe\Security\Member) with the Email 'admin' will be generated in
the database, but without any password information. This means that the password can be reset or changed by simply
updating the `.env` file.
Rebased additional documentation since May 2014. New pages filed and metadata added. 2014-10-20 10:57:35 +02:00			`title: Authentication`
			`summary: Explains SilverStripe's Authentication options and custom authenticators.`

API Enable re-authentication within the CMS if a user session is lost BUG Resolve issue with error redirection being ignored within CMS BUG Fix issue with invalid securityID being re-emitted on failure 2014-10-06 05:01:33 +02:00			`# Authentication`

FIX Add namespaces in markdown docs (#7088) * FIX Add namespaces in markdown docs * FIX Convert doc [link] to [link-text](link-uri) 2017-07-03 03:22:12 +02:00			`By default, SilverStripe provides a [MemberAuthenticator](api:SilverStripe\Security\MemberAuthenticator\MemberAuthenticator) class which hooks into its own internal`
API Enable re-authentication within the CMS if a user session is lost BUG Resolve issue with error redirection being ignored within CMS BUG Fix issue with invalid securityID being re-emitted on failure 2014-10-06 05:01:33 +02:00			`authentication system.`

			`The main login system uses these controllers to handle the various security requests:`
DOCS Fix issue with bullets and backticks thinking they are code blocks Thanks to @stojg for reporting. 2015-05-23 07:58:51 +02:00
FIX Add namespaces in markdown docs (#7088) * FIX Add namespaces in markdown docs * FIX Convert doc [link] to [link-text](link-uri) 2017-07-03 03:22:12 +02:00			`[Security](api:SilverStripe\Security\Security) - Which is the controller which handles most front-end security requests, including logging in, logging out, resetting password, or changing password. This class also provides an interface to allow configured [Authenticator](api:SilverStripe\Security\Authenticator) classes to each display a custom login form.`
DOCS Fix issue with bullets and backticks thinking they are code blocks Thanks to @stojg for reporting. 2015-05-23 07:58:51 +02:00
FIX Add namespaces in markdown docs (#7088) * FIX Add namespaces in markdown docs * FIX Convert doc [link] to [link-text](link-uri) 2017-07-03 03:22:12 +02:00			`[CMSSecurity](api:SilverStripe\Security\CMSSecurity) - Which is the controller which handles security requests within the CMS, and allows users to re-login without leaving the CMS.`
API Enable re-authentication within the CMS if a user session is lost BUG Resolve issue with error redirection being ignored within CMS BUG Fix issue with invalid securityID being re-emitted on failure 2014-10-06 05:01:33 +02:00
			`## Member Authentication`

			`The default member authentication system is implemented in the following classes:`
DOCS Fix issue with bullets and backticks thinking they are code blocks Thanks to @stojg for reporting. 2015-05-23 07:58:51 +02:00
FIX Add namespaces in markdown docs (#7088) * FIX Add namespaces in markdown docs * FIX Convert doc [link] to [link-text](link-uri) 2017-07-03 03:22:12 +02:00			`[MemberAuthenticator](api:SilverStripe\Security\MemberAuthenticator) - Which is the default member authentication implementation. This uses the email and password stored internally for each member to authenticate them.`
DOCS Fix issue with bullets and backticks thinking they are code blocks Thanks to @stojg for reporting. 2015-05-23 07:58:51 +02:00
FIX Add namespaces in markdown docs (#7088) * FIX Add namespaces in markdown docs * FIX Convert doc [link] to [link-text](link-uri) 2017-07-03 03:22:12 +02:00			[MemberLoginForm](api:SilverStripe\Security\MemberAuthenticator\MemberLoginForm) - Is the default form used by `MemberAuthenticator`, and is displayed on the public site at the url `Security/login` by default.
DOCS Fix issue with bullets and backticks thinking they are code blocks Thanks to @stojg for reporting. 2015-05-23 07:58:51 +02:00
FIX Add namespaces in markdown docs (#7088) * FIX Add namespaces in markdown docs * FIX Convert doc [link] to [link-text](link-uri) 2017-07-03 03:22:12 +02:00			[CMSMemberLoginForm](api:SilverStripe\Security\MemberAuthenticator\CMSMemberLoginForm) - Is the secondary form used by `MemberAuthenticator`, and will be displayed to the user within the CMS any time their session expires or they are logged out via an action. This form is presented via a popup dialog, and can be used to re-authenticate that user automatically without them having to lose their workspace. E.g. if editing a form, the user can login and continue to publish their content.
API Enable re-authentication within the CMS if a user session is lost BUG Resolve issue with error redirection being ignored within CMS BUG Fix issue with invalid securityID being re-emitted on failure 2014-10-06 05:01:33 +02:00
			`## Custom Authentication`

			`Additional authentication methods (oauth, etc) can be implemented by creating custom implementations of each of the`
			`following base classes:`
DOCS Fix issue with bullets and backticks thinking they are code blocks Thanks to @stojg for reporting. 2015-05-23 07:58:51 +02:00
FIX Add namespaces in markdown docs (#7088) * FIX Add namespaces in markdown docs * FIX Convert doc [link] to [link-text](link-uri) 2017-07-03 03:22:12 +02:00			[Authenticator](api:SilverStripe\Security\Authenticator) - The base class for authentication systems. This class also acts as the factory to generate various login forms for parts of the system. If an authenticator supports in-cms reauthentication then it will be necessary to override the `supports_cms` and `get_cms_login_form` methods.
DOCS Fix issue with bullets and backticks thinking they are code blocks Thanks to @stojg for reporting. 2015-05-23 07:58:51 +02:00
FIX Add namespaces in markdown docs (#7088) * FIX Add namespaces in markdown docs * FIX Convert doc [link] to [link-text](link-uri) 2017-07-03 03:22:12 +02:00			`[LoginForm](api:SilverStripe\Security\LoginForm) - which is the base class for a login form which links to a specific authenticator. At the very least, it will be necessary to implement a form class which provides a default login interface. If in-cms re-authentication is desired, then a specialised subclass of this method may be necessary. For example, this form could be extended to require confirmation of username as well as password.`
API Enable re-authentication within the CMS if a user session is lost BUG Resolve issue with error redirection being ignored within CMS BUG Fix issue with invalid securityID being re-emitted on failure 2014-10-06 05:01:33 +02:00
			`## Default Admin`

Rebased additional documentation since May 2014. New pages filed and metadata added. 2014-10-20 10:57:35 +02:00			`When a new SilverStripe site is created for the first time, it may be necessary to create a default admin to provide`
API Enable re-authentication within the CMS if a user session is lost BUG Resolve issue with error redirection being ignored within CMS BUG Fix issue with invalid securityID being re-emitted on failure 2014-10-06 05:01:33 +02:00			`CMS access for the first time. SilverStripe provides a default admin configuration system, which allows a username`
			`and password to be configured for a single special user outside of the normal membership system.`

DOCS Updated environment management docs to use .env file 2017-01-30 16:34:55 +01:00			It is advisable to configure this user in your `.env` file inside of the web root, as below:
API Enable re-authentication within the CMS if a user session is lost BUG Resolve issue with error redirection being ignored within CMS BUG Fix issue with invalid securityID being re-emitted on failure 2014-10-06 05:01:33 +02:00
DOCS Updated environment management docs to use .env file 2017-01-30 16:34:55 +01:00			`# Configure a default username and password to access the CMS on all sites in this environment.`
			`SS_DEFAULT_ADMIN_USERNAME="admin"`
			`SS_DEFAULT_ADMIN_PASSWORD="password"`
API Enable re-authentication within the CMS if a user session is lost BUG Resolve issue with error redirection being ignored within CMS BUG Fix issue with invalid securityID being re-emitted on failure 2014-10-06 05:01:33 +02:00
FIX Add namespaces in markdown docs (#7088) * FIX Add namespaces in markdown docs * FIX Convert doc [link] to [link-text](link-uri) 2017-07-03 03:22:12 +02:00			`When a user logs in with these credentials, then a [Member](api:SilverStripe\Security\Member) with the Email 'admin' will be generated in`
API Enable re-authentication within the CMS if a user session is lost BUG Resolve issue with error redirection being ignored within CMS BUG Fix issue with invalid securityID being re-emitted on failure 2014-10-06 05:01:33 +02:00			`the database, but without any password information. This means that the password can be reset or changed by simply`
DOCS Updated environment management docs to use .env file 2017-01-30 16:34:55 +01:00			updating the `.env` file.