Cookies (in general) have a few flags: * httponly - tells the browser to only send to severs; not allow JS access * secure - tells the browser to only send to secure servers (https, i think there are other secure methods too)
Pyramid (and many other python packages) usually abstract them into boolean arguments, which is what you see in the cookie/session api. You definitely want to use encryption in your scenario. Most third-party login APIs will require you to have the endpoint under HTTPS (facebook and twitter, for example), so I would personally just run all of this under HTTPS with signed cookies from Pyramid's default factory that are httponly and secure. That would be reasonably secure enough – it will protect the data as network traffic, and compromising the security would entail compromising HTTP or one of the machines involved. To tell what type of connection you have, `request.scheme` will tell you if a request is 'http' or 'https' . It's a `webob.Request` property; it may be influenced by frontline / proxy servers that fail to convey the right headers to wsgi so you should have some deployment tests that ensure the correct setup. If you have to run on HTTP, then you'll need to encrypt/decrypt the payload of your cookies. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscr...@googlegroups.com. To post to this group, send email to pylons-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.