3

I am working on a python web application based on the pyramid framework. I am trying to add session authentication to it. By that I understand that:

  • users can log in/out (security is desirable); user data are kept in a database
  • authentication is handled via the session (request.session)

First off: Is session authentication a good option or are there better ones? Secondly: I can't really make heads or tails of the documentation and examples.

So far, I've followed http://docs.pylonsproject.org/projects/pyramid/en/1.3-branch/tutorials/wiki2/authorization.html#adding-login-and-logout-views so far that I have a login/logout form. However, my authn_policy is a http://docs.pylonsproject.org/projects/pyramid/en/latest/api/authentication.html#pyramid.authentication.SessionAuthenticationPolicy

As the session factory in pyramid is insecure (see http://docs.pylonsproject.org/projects/pyramid/en/1.3-branch/narr/sessions.html), I use *pyramid_beaker* instead.

The configuration is: in __init__.py: session_factory = session_factory_from_settings(settings)

in the .ini file:

beaker.session.lock_dir = %(here)s/data/sessions/lock
beaker.session.type = ext:database
beaker.session.sa.url = mysql://user:pass@localhost:3306/db
beaker.session.table_name = user_session

I hope I was able to make my problem clear.

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
Malhelo
  • 399
  • 6
  • 16

1 Answers1

0

I'd say it depends on what you want to do. Session authentication works fine if you use Beaker, but I like using AuthTktAuthenticationPolicy for the additional timeout and reissue options, and the fact that your authentication doesn't disappear even if you clear the session.

tuomur
  • 6,888
  • 34
  • 37