Thank you for the insight. Looking over the SignedCookieSessionFactory <http://docs.pylonsproject.org/projects/pyramid/en/latest/api/session.html#pyramid.session.SignedCookieSessionFactory>, I have two questions. How do I ensure that HTTPS is used? What is the "secure flag" of the session cookie?
Jonathan, you mentioned my description of types/locations of data being confusing. To clarify, I'm creating a web app on my server that grabs data from third-party software on a remote server using API routes the third-party has provided. This other party handles all of the authentication--my web app sends users to the third party's login page to login, and then they are redirected back to my app. That redirection includes authorization tokens which my app uses to build a user context. This user context is included in API requests to the third-party's system in order to authorize the calls. If this context were visible, it would not be difficult to take the user context tokens from the request. These tokens could be used to make other calls to the third party's system, so it's important that they are kept secret. On Sun, May 17, 2015 at 2:35 PM, Jonathan Vanasco <jonat...@findmeon.com> wrote: > > > On Saturday, May 16, 2015 at 5:12:08 PM UTC-4, Laurence Rowe wrote: >> >> Signed cookies are usually just fine, you only need encryption if you >> want to prevent the user from inspecting the content stored in their >> cookies. >> > > Encryption is also needed if you want to prevent others on the network > from inspecting cookie content. I've seen a few apps where the developers > stored 3rd party auth information in a cookie; while it's fine for users to > access that info and for to merely be signed as "proof" it was already > registered with the application, unless that content is locked to HTTPS it > can be visible in network traffic. > > > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to pylons-discuss+unsubscr...@googlegroups.com. > To post to this group, send email to pylons-discuss@googlegroups.com. > Visit this group at http://groups.google.com/group/pylons-discuss. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscr...@googlegroups.com. To post to this group, send email to pylons-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.
