I should note that the API I proposed is pretty similar to the current API we already use in webob.cookies.CookieProfile if you wanted to see some prior art there. There is a SignedCookieProfile subclass which does signing, and all the settings are defined once and then the profile is re-used across requests.
On Mon, Dec 10, 2018 at 2:55 PM Michael Merickel <mmeri...@gmail.com> wrote: > On Mon, Dec 10, 2018 at 12:21 PM Bert JW Regeer <xiste...@0x58.com> wrote: > >> Pyramid also by default supports all of the "secure" parts of the cookie. >> There are no extra flags that can't already be set using Pyramid. >> >> Using the Secure package for cookies is unnecessary. >> > > I imagine the benefit is less for Pyramid's builtin sessions and auth > tokens but for other arbitrary cookies a user may set where right now you > must remember/pass in all the options to `response.set_cookie`. If I were > doing this myself I'd probably use `config.set_response_factory` to define > a custom response subclass that contains some form of > `response.set_secure_cookie(key, value, **kwargs)` that had signing built > into it, or even just define some more purpose-built functions for the > different types of cookies I want to set. Fortunately most of my apps don't > set cookies other than auth/session so I don't really care. :-) > > To summarize above, my main feedback would be that I'm a little surprised > the library doesn't provide some way to define a context object that can be > passed around with pre-configured settings. That way at the call-site where > I want to set the cookie I can just grab some object and use my key/value > without needing to think about the actual cookie properties. That would be > an improvement Pyramid's current `response.set_cookie` which is pretty > feature-complete with the SecureCookie offering in secure. > > Imagine at config-time you define something like `remember_me_cookie = > SecureCookie(...)` and then later on in your code you can set/grab the > value for that cookie via > `request.registry.remember_me_cookie.get_value(request)` and > `request.registry.remember_me_cookie.set_value(response, value)`. This > makes consuming the cookie super easy and secure by default because all the > settings are configured at config-time. > > I'd argue for and define similar apis for SecureHeaders etc. > > - Michael > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscr...@googlegroups.com. To post to this group, send email to pylons-discuss@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/CAKdhhwHFn9P%2Boy9YO8JT2_jbNnXR2jm1i1nKmc%3DYZH-anyWOhg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
