On 04/26/2014 03:58 PM, Mike Orr wrote:
On Tue, Apr 22, 2014 at 1:16 PM, Anders Wegge <awe...@gmail.com> wrote:
As I read the documentation for SignedCookieSessionFactory, the data stored
in the session is not encrypted. So storing a CSRF token in the session
Cookie is not a good option. Pyramid_beaker seem to have been deprecated
with release 1.5, so which options are the best for a site with very few
actions requiring CSRF and other session data.
There are now three fundamental questions for session-adapter
developers. Do we want to replicate Beaker with a full variety of
backends, including Dogpile and database and others? Or do the
'pyramid_[session]' packages sufficiently replace the Beaker frontend,
and we just need to make 'pyramid_[session]' packages for the full
variety of backends? Or move away from sessions?
I'm only motivated to write and maintain session bindings packages when
a customer pays me to do so (eg. "we want to store all of our data in
X", often because they haven't really yet figured out that session data
is not much like their other data).
I wouldn't personally create a Beaker replacement (meaning a package
which is itself a framework for plugging in different backends), because
I use Pyramid pretty much exclusively, and most of the contracts about
what makes up a session already exist in Pyramid, and thus I'd just make
a pyramid_foo if I had to. If some of the pyramid_foo code was more
generally usable, it might go into a separate package (ala Dogpile), but
I wouldn't make an omnibus package that had as its mission "sessions".
- C
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to pylons-discuss+unsubscr...@googlegroups.com.
To post to this group, send email to pylons-discuss@googlegroups.com.
Visit this group at http://groups.google.com/group/pylons-discuss.
For more options, visit https://groups.google.com/d/optout.
