`remember` is an authentication api and not directly tied to sessions. It does support kwargs that the authentication policy can utilize as it chooses.
Your question is about sessions, and the session cookie. It is up to pyramid_session_redis how it chooses to set the cookie, Pyramid does not handle it. It could support changing the max_age when you invoke `adjust_timeout_for_session` but it apparently is not. My suggestion is to not worry about how long the cookie lives, set it for a long time or not expiring, and focus on just invalidating it server-side which is the only real place you can control it. - Michael > On Sep 19, 2020, at 07:34, zsol...@gmail.com <zsolt....@gmail.com> wrote: > > Hi, > > I'd like to implement the following session cookie behaviour: > - non-logged-in users get a short-lived one, like 1800 seconds, enough for > all CSRF validation > - when logging in, they extend their cookie to 1 year > > I'm using pyramid_session_redis, and I can achieve the redis side changing > using > > headers = remember(request, user.id) > redis_timeout = 3600 * 24 * 365 # one year in Redis > request.session.adjust_timeout_for_session(redis_timeout) > return HTTPFound(location=..., headers=headers) > > This changes the redis side just fine, however, I see no way to change the > max_age on the already set cookie and I see that remember() supports max_age, > but it doesn't work. > > I've asked the developer of pyramid_session_redis and he said that there is > no remember() in that package, so it's unrelated to that. Still, in Pyramid > docs, I see that remember() supports max_age, so how is it? > > https://docs.pylonsproject.org/projects/pyramid/en/latest/api/authentication.html#pyramid.authentication.AuthTktAuthenticationPolicy.remember > and > https://docs.pylonsproject.org/projects/pyramid/en/latest/api/security.html#pyramid.security.remember > > So my solution right now is to set the session cookie max_age to something > very big then just limit things in Redis. > > Is this the right solution? Ideally, I'd like to achieve never logging out > logged-in users, as it's bad for user experience, but at the same time limit > bots and non-logged-in users to 1800 seconds. > > Zsolt > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to pylons-discuss+unsubscr...@googlegroups.com > <mailto:pylons-discuss+unsubscr...@googlegroups.com>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/pylons-discuss/62b25a2d-4bec-4ed9-b3db-8c0e310384een%40googlegroups.com > > <https://groups.google.com/d/msgid/pylons-discuss/62b25a2d-4bec-4ed9-b3db-8c0e310384een%40googlegroups.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/43911B70-EC5B-4EEC-8B6F-77EB6F380995%40gmail.com.
