In the event that your Session object you keep referring to isn't integrated into Pyramid's `request.session`, then a) you should look into doing that (link below) and then use the SessionAuthenticationPolicy as Chris suggested or b) you should just write your own authentication policy that uses your Session object.
http://docs.pylonsproject.org/projects/pyramid/en/1.3-branch/narr/sessions.html#creating-your-own-session-factory On Tue, Jun 19, 2012 at 8:18 PM, Chris McDonough <[email protected]> wrote: > On 06/19/2012 08:38 PM, Ben Sizer wrote: >> >> I have written my own Session object, based on the example Pyramid 1.3 >> provides, but with my own persistence mechanism - all well and good (I >> think). In the cookie I store a key into my database, so that I can >> retrieve persistent session info. >> >> Now I'd like to implement authorization, so that I can show different >> content to different authenticated users. So I looked at the >> authentication policy docs and then at the AuthTktAuthenticationPolicy >> and associated classes. They appear to also read and write a cookie, >> and it seems like there is a large amount of overlap with the session >> code. It's not clear if the two peacefully co-exist, or whether they >> should be rolled into one object. >> >> I figure I can use different cookie names in each case, but it seems >> to be duplicating effort and increasing the chance of bugs, eg. if one >> cookie expires when the other is valid, etc. I had imagined that I >> would have 1 session object, linked to a single cookie. That session >> would have a current_user() method or similar which would retrieve the >> user from the database, based on a user ID stored in the session. >> >> Basically, I don't know how to use these 2 things together - the doc >> page on Sessions has nothing to say about auth or about security >> (apart from the warning about the unencrypted session type) and the >> page on Security says nothing about sessions. I could probably write >> my own AuthenticationPolicy that queries my Session object but that >> would involve it setting cookie headers which would interfere with >> that Session. >> >> How should I proceed? > > > You can probably just reuse the existing SessionAuthenticationPolicy here: > > http://docs.pylonsproject.org/projects/pyramid/en/1.3-branch/api/authentication.html#pyramid.authentication.SessionAuthenticationPolicy > > - C > > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/pylons-discuss?hl=en. > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
