I don't use Pyramid's Auth, but I have a suggestion based on what I do.
I keep sessions locked to the Browser session.
If someone clicks "remember me", they're given an "AutoLogin Cookie". It
has an encrypted payload of their UID + Date, and the encryption scheme
rotates.
I believe our auth check logic looks something like this ( pseudocode from
memory ):
try:
uid = None
if 'uid' in request.session :
uid = request.session['uid']
return uid
if constants.COOKIES_autologin in request.headers.cookies :
# raises an error if the payload doesn't parse out
autologin_credentials =
encrypted_parse( request.headers.cookies[constants.COOKIES_autologin] )
uid = autologin_credentials(uid)
utils.do_login( uid , type="autologin" )
return uid
return False
except:
return False
We mark every login with the type & date -- form, facebook/oauth, autologin
, etc -- this way any account changes or showing semi-sensitive info has
it's own "re-auth" policy.
It would probably be trivial to grab an AuthTkt failure, check for an
autologin, and then proceed. It might not be. But it might be...
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to pylons-discuss+unsubscr...@googlegroups.com.
To post to this group, send email to pylons-discuss@googlegroups.com.
Visit this group at http://groups.google.com/group/pylons-discuss.
For more options, visit https://groups.google.com/groups/opt_out.
