Hi, I'd like to implement the following session cookie behaviour: - non-logged-in users get a short-lived one, like 1800 seconds, enough for all CSRF validation - when logging in, they extend their cookie to 1 year
I'm using pyramid_session_redis, and I can achieve the redis side changing using headers = remember(request, user.id) redis_timeout = 3600 * 24 * 365 # one year in Redis request.session.adjust_timeout_for_session(redis_timeout) return HTTPFound(location=..., headers=headers) This changes the redis side just fine, however, I see no way to change the max_age on the already set cookie and I see that remember() supports max_age, but it doesn't work. I've asked the developer of pyramid_session_redis and he said that there is no remember() in that package, so it's unrelated to that. Still, in Pyramid docs, I see that remember() supports max_age, so how is it? https://docs.pylonsproject.org/projects/pyramid/en/latest/api/authentication.html#pyramid.authentication.AuthTktAuthenticationPolicy.remember and https://docs.pylonsproject.org/projects/pyramid/en/latest/api/security.html#pyramid.security.remember So my solution right now is to set the session cookie max_age to something very big then just limit things in Redis. Is this the right solution? Ideally, I'd like to achieve never logging out logged-in users, as it's bad for user experience, but at the same time limit bots and non-logged-in users to 1800 seconds. Zsolt -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/62b25a2d-4bec-4ed9-b3db-8c0e310384een%40googlegroups.com.