That looks similar to what I';m doing. I have three session timeouts:
- default: 1 minute for bots that never go beyond one request.
Response has a "Login" button.
- unauthenticated: 10 minutes. While the user is logging in at the
OAuth2 server.
- authenticated: 1-8 hours. Logged-in user.
When
Just for reference I'd like to post what worked for me. Thanks for the
detailed help.
Finally I've settled on the following values:
```
redis.sessions.secret = xxx
redis.sessions.cookie_max_age = 31536 # 10 years, basically forever
redis.sessions.timeout = 1800
redis.sessions.cookie_secure
On Saturday, September 19, 2020 at 12:00:28 PM UTC-4 mmer...@gmail.com
wrote:
> It could support changing the max_age when you invoke
> `adjust_timeout_for_session` but it apparently is not.
>
I'm the package author. `adjust_timeout_for_session` doesn't affect
`max_age` because that defect
`remember` is an authentication api and not directly tied to sessions. It does
support kwargs that the authentication policy can utilize as it chooses.
Your question is about sessions, and the session cookie. It is up to
pyramid_session_redis how it chooses to set the cookie, Pyramid does not
Hi,
I'd like to implement the following session cookie behaviour:
- non-logged-in users get a short-lived one, like 1800 seconds, enough for
all CSRF validation
- when logging in, they extend their cookie to 1 year
I'm using pyramid_session_redis, and I can achieve the redis side changing