> I never did because the data disappears if you reboot the server and users > get annoyed if their session gets dropped in the middle or they have to log > in again
FWIW - to get around that , I use an autologin routine... 1. I set an autologin cookie for anywhere from 1-30 days ( 1 if I decided to set it, 30 if the user wants to be remembered ) 2. If I catch a user who is logged out, I check for the autologin cookie. If that works, I redirect them to the autologin url, process the cookie, and then redirect back to the resource. ( this could probably all happen within a single page, but this was fast ) 3. To write the autologin cookies, i wrote this library -- https://github.com/jvanasco/insecure_but_secure_enough/blob/master/insecure_but_secure_enough/__init__.py with this library, i can create an encrypted and/or signed cookie that is relatively secure. the basic premise is this: - the cookie has an encrypted value , and an unencrypted timestamp + digest - before doing any expensive decryption, the server can use the digest / timestamp to decide if it's worth unencrypting ( too old, invalid , etc ) - the encryption / decryption is handled by a provider, which has hooks for time-based lookups. this way you can have your encryption factory change daily, weekly, monthly, etc. it's not secure enough for sensitive data, but by the time 99.999% of people would have broken something, you can be on a new set of encryption keys. you can also use this to create a payload for URL based autologins for emails. As a rule of thumb, i also note in every session what sort of Login occured -- a form, autologin, facebook connect, etc. I always require a new form login if someone wants to access account settings. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/pylons-discuss?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
