I don't use Pyramid's Auth, but I have a suggestion based on what I do. I keep sessions locked to the Browser session. If someone clicks "remember me", they're given an "AutoLogin Cookie". It has an encrypted payload of their UID + Date, and the encryption scheme rotates.
I believe our auth check logic looks something like this ( pseudocode from memory ): try: uid = None if 'uid' in request.session : uid = request.session['uid'] return uid if constants.COOKIES_autologin in request.headers.cookies : # raises an error if the payload doesn't parse out autologin_credentials = encrypted_parse( request.headers.cookies[constants.COOKIES_autologin] ) uid = autologin_credentials(uid) utils.do_login( uid , type="autologin" ) return uid return False except: return False We mark every login with the type & date -- form, facebook/oauth, autologin , etc -- this way any account changes or showing semi-sensitive info has it's own "re-auth" policy. It would probably be trivial to grab an AuthTkt failure, check for an autologin, and then proceed. It might not be. But it might be... -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscr...@googlegroups.com. To post to this group, send email to pylons-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/groups/opt_out.