I was having similar issues and came up with an alternate solution after
the ones given here weren't really satisfactory to me. (I know this thread
is old, but someone else might come across it like myself) What I did was
essentially altered create_record() to throw a ValidationFailure when I
I don't use Pyramid's Auth, but I have a suggestion based on what I do.
I keep sessions locked to the Browser session.
If someone clicks "remember me", they're given an "AutoLogin Cookie". It
has an encrypted payload of their UID + Date, and the encryption scheme
rotates.
I believe our auth