Skip to main content
ZenHub houses documentation to support you if you’re using Contensis Classic. Contensis Classic includes our WYSIWYG and templating features. If you’re working with a newer version of Contensis, is your go-to place to find anything Contensis-related when building with content types.

Website authentication and security

This article will take you through some of the ways in which you can set up authentication and secure your website.


  • The server carrying out authentication must be able to communicate back to the CMS database and the CMS config setting
    Contensis_Data_HasContensisDatabaseAccess must be set to true.

  • If you want to authenticate using Active Directory (AD) then the server carrying out authentication must be part of the domain. If you’re unsure if Active Directory has been set up, speak to your organisation's system administrator or read this article.

General setup

To enable authentication in Contensis you need to make changes to several values in the cms.config file. These values tell the server how to deal with authentication. By adjusting them you can set up an authentication model that meets the specific requirements of your website.   

Setup pages and controls

To set up authentication, first create a folder off the root called account. Assign a page template to the folder if one is not already assigned.

Next, create two pages – one called login, and one called access-denied. Set the login page as the folder homepage.

Once you’ve created the pages, edit the login page and add the standard login control by right-clicking in a placeholder, going to Insert Webcontrol > Membership / Authentication, and selecting the Login control. Configure this as required.

Access denied and login pages

Handling the access denied page and login page is fairly straight-forward. All you need to do is configure the Contensis_authentication_AccessDeniedUrl and  Contensis_authentication_DefaultLoginUrl settings to point to the relevant pages.

The login page should have the Contensis login control on the page and the access denied page should have some text explaining that the user doesn't have permissions to access the content they are trying to access. 

Assign permissions

For a user to view a piece of content on the delivery server with authentication enabled for that piece of content, you must add permissions for them to view the piece of content against the user they are using to authenticate. Folder permissions are not used for authentication – the content type and template permissions set against a folder are used instead.

It is also worth noting that if you have configured permissions, any anonymous user is called Public User. This means that any user who visits your site will in effect be logged in as the Public User. 

Typical scenarios

The solutions to both of the scenarios below require you to change CMS Config settings. These can be found in the Management Console > Project Overview > Publishing Servers. Each publishing server has a link next to it to edit the CMS Config. We suggest that you open this screen when running through these examples.

I want to authenticate a small section of my site

In this scenario we have a general purpose informational website with 3000 web pages. All of the content held in the informational sections is publicly available, but the site requires two small areas to be authenticated for viewing order information and for accessing a backend extranet.

The first thing to do is make sure thee 3000 publicly-available pages can be accessed by all visitors. To do this we need to enable Anonymous access. This can be done by setting Contensis_authentication_allowAnonymous to true.

But, we certainly don’t want to ignore permissions, as we have a section that is enabled for permission checking, so we will set Contensis_authentication_ignorePermissions to false. This setting is only normally useful if you are running a secure site and you want to temporarily turn off permissions without changing all your other configurations, or if you have specifically added some code to force permissions checking outside of the configuration settings.

As we don’t want to turn on authentication everywhere on the site, we are going to set Contensis_authentication_ForceAuthentication to false.

In order to authenticate all of the extranet directory and part of the customers directory (in this case returning customers only),we will modify the Contensis_authentication_inclusions setting and change the value to /extranet/*,/customers/returning/*. The asterisk is a wildcard here and is required so that all the sub directories below the named directories are included in the authenticated area of the site.

We don't want to authenticate any of the resources within the customers or extranet directory, so we need to check the permissions on these directories and add the public user to give anonymous visitors access to these resources. You may think, why not simply change Contensis_authentication_exceptions and set it to *.axd,*.css,*.gif,*.png,*.flv,*.swf,*.js* The problem with this is that an inclusion overrides an exclusion, so this would not be possible. In this example /customers/test.jpg would be authenticated whether you set it in the exceptions or not, because the whole of /customers/ is already included and an include outweighs an exclude.

I want to authenticate my entire site

In this scenario we have an intranet consisting of 2000 web pages. All of the content requires authentication as the information is sensitive and only for internal use. The only exceptions to this are the login and access denied screens.

The first thing to do is make sure none of our content can be accessed by users who aren't logged in. We do this by by setting Contensis_authentication_allowAnonymous to false.

As we want to turn on authentication for every part of the site, we are going to set Contensis_authentication_ForceAuthentication to true.

As above, we don’t want to ignore permissions as the entire site requires authentication, so we will set Contensis_authentication_ignorePermissions to false.

There are 2 pages in the entire site that we need people to be able to view without being prompted for authentication – the login page and the access denied page. The access denied page automatically gets added to the exceptions, therefore the only exception we need to add is the login page. To set this you need to update Contensis_authentication_exceptions and set it to /account/login.aspx.


If you want to authenticate a microsite you can create an account folder with the same pages and controls in the microstie folder and Contensis will use these pages for authentication instead of the main website pages.

Set up AD logins for your published sites

Assuming you have followed the steps above and you have Active Directory Synchronisation configured correctly, AD users who are synchronised with Contensis will be able to log in to the site using the standard login controls. By default Contensis is configured to allow mixed authentication, i.e. Contensis Users and AD Users.

Note: the web server carrying out the authentication needs to be part of the domain.