I have written my own Session object, based on the example Pyramid 1.3 provides, but with my own persistence mechanism - all well and good (I think). In the cookie I store a key into my database, so that I can retrieve persistent session info.
Now I'd like to implement authorization, so that I can show different content to different authenticated users. So I looked at the authentication policy docs and then at the AuthTktAuthenticationPolicy and associated classes. They appear to also read and write a cookie, and it seems like there is a large amount of overlap with the session code. It's not clear if the two peacefully co-exist, or whether they should be rolled into one object. I figure I can use different cookie names in each case, but it seems to be duplicating effort and increasing the chance of bugs, eg. if one cookie expires when the other is valid, etc. I had imagined that I would have 1 session object, linked to a single cookie. That session would have a current_user() method or similar which would retrieve the user from the database, based on a user ID stored in the session. Basically, I don't know how to use these 2 things together - the doc page on Sessions has nothing to say about auth or about security (apart from the warning about the unencrypted session type) and the page on Security says nothing about sessions. I could probably write my own AuthenticationPolicy that queries my Session object but that would involve it setting cookie headers which would interfere with that Session. How should I proceed? -- Ben Sizer -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
