1. Session Module: session.xq

MarkLogic Application Level Authentication setting

The optional Module session.xq provides simple RESTful services enabling you to perform Authentication at the Application Level instead of other methods such as HTTP Digest or HTTP Basic Authentication.

The library serves as a starting point to you building your own custom Authentication mechanism for your users.

Import the module library into your main xqrs.xqy code and it's ready to go.

2. Register the RESTXQ module

import module namespace session =
  "http://xmllondon.com/xquery/session" at

There are 3 RESTful Services

URI Description
/session/login Log in to a User Session
/session/status Shows which user is logged in and what roles they have
/session/logout Logs out of the User Session

3. User Log-in with /session/login

You can submit a POST request containing the user credentials in either XML or JSON format.

Content-Type: text/xml Content-Type: application/json
  "user" : "john.smith",
  "password" : "password123"

The service will respond with either a 200 - Success status and a Cookie such as SessionID=6045388ef271f4e7; path=/ meaning that you have successfully logged in, or it will respond with a 401 - Unauthorized status in which case there was an Authentication issue.

The Session Cookie issued upon a successful login is the token you must to send back on all subsequent RESTful requests so that MarkLogic Server knows who you are.

All RESTful requests executed with the Session token happen within the context of the user's active session.

4. Checking status with /session/status

This service will tell you which user you are logged in as and which roles it has, it will give either a XML or JSON response depending on what the client prefers (Content Negotiation).

Accept: text/xml Accept: application/json
  "user" : "john.smith",
  "role" : [ "custom-write",
             "custom-execute" ]

5. Logging out with /session/logout

Sending a request to this service logs the user out and will delete the Session Cookie which was originally issued on the first log-in. This service should always respond with a 200 - Success status.