I forgot to mention we do get some useful information when debug_authorization is set to True. Here is what we get:
2017-11-21 01:24:14,225 DEBUG [appname._authdebug_view()][waitress] debug_authorization of url http://localhost:6543/ (view name u'' against context <====================================.models.RootFactory object at 0x7f7ef246af90>): ACLDenied permission 'authenticated' via ACE '<default deny>' in ACL [...ACLs here...] on context <appname.models.RootFactory object at 0x7faf3c5a7c10> for principals ['system.Everyone'] On Tuesday, November 21, 2017 at 9:41:11 AM UTC-6, Alen wrote: > > Hi, > > We've encountered a strange authorization issue we can't quite figure out > how to get past... When the users of our web app are inactive for a while > and they come back to use it, on first request they get a HTTPForbidden > error (presumably because the session has expired due to inactivity). > However, they're not logged out and if they refresh the page everything > works as it should. The behavior is pretty easy to replicate, we just set > session.timeout to 5 seconds, and then use the app after being inactive for > 5 seconds and we always get the error. But here's the kicker - if we set > pyramid.debug_authorization to True then we don't see this issue! > > We need help debugging this issue further...but we're pretty sure it's > something misconfigured on our end. We're running latest Pyramid (1.9.1) > with pyramid_beaker for session management. Below is an excerpt from our > development.ini file with the relevant settings: > > ================================ > pyramid.reload_templates = true > pyramid.debug_authorization = false > pyramid.debug_notfound = true > pyramid.debug_routematch = false > pyramid.default_locale_name = en > pyramid.includes = > pyramid_tm > pyramid_debugtoolbar > pyramid_beaker > > # Debug toolbar > debugtoolbar.enabled = false > debugtoolbar.hosts = 0.0.0.0/0 > > # Use http instead of https in local environment for base portal URL > auth.policy.secure = false > > # Beaker config > cache.type = ext:memcached > cache.url = 127.0.0.1:11211 > cache.lock_dir = %(here)s/data/sessions/lock > cache.regions = second, default_term, short_term, long_term, full_day, > forever_term > cache.second.expire = 1 > cache.short_term.expire = 60 > cache.default_term.expire = 300 > cache.long_term.expire = 3600 > cache.full_day.expire = 86400 > cache.forever_term.expire = 604800 > session.type = ext:memcached > session.url = 127.0.0.1:11211 > session.data_dir = %(here)s/data/sessions/data > session.lock_dir = %(here)s/data/sessions/lock > session.key = KEY_HNAME > session.secret = SECRET_KEY > session.cookie_expires = 86400 > session.secure = false > session.timeout = 3600 > # End of beaker config > ================================ > > And here is the auth policy setup from our __init__.py file: > > ================================ > authn_policy = AuthTktAuthenticationPolicy( > # this is the secret used to sign cookies > 'SECRET_KEY', > callback=groupfinder, > secure=use_https, #This should always be True, unless overridden > in development.ini file > http_only=True, > timeout=21600, > reissue_time=2160, > max_age=86400, > hashalg='sha512') > ================================ > > Thanks > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscr...@googlegroups.com. To post to this group, send email to pylons-discuss@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/6a9d8b6e-c8ec-4bb2-8733-72e31e7ac7c7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
