Encryption is all well and good but I'm not sure I'll trust encryption in a library called "insecure_but_secure_enough". :-P
Signed cookies are trivial to create within pyramid using signed_serialize and signed_deserialize. http://docs.pylonsproject.org/projects/pyramid/en/1.4-branch/api/session.html On Fri, Feb 8, 2013 at 11:21 AM, Jonathan Vanasco <[email protected]>wrote: > > > I never did because the data disappears if you reboot the server and > users get annoyed if their session gets dropped in the middle or they have > to log in again > > FWIW - to get around that , I use an autologin routine... > > 1. I set an autologin cookie for anywhere from 1-30 days ( 1 if I > decided to set it, 30 if the user wants to be remembered ) > 2. If I catch a user who is logged out, I check for the autologin > cookie. If that works, I redirect them to the autologin url, process > the cookie, and then redirect back to the resource. ( this could > probably all happen within a single page, but this was fast ) > 3. To write the autologin cookies, i wrote this library -- > > https://github.com/jvanasco/insecure_but_secure_enough/blob/master/insecure_but_secure_enough/__init__.py > > with this library, i can create an encrypted and/or signed cookie that > is relatively secure. > > the basic premise is this: > - the cookie has an encrypted value , and an unencrypted timestamp + > digest > - before doing any expensive decryption, the server can use the > digest / timestamp to decide if it's worth unencrypting ( too old, > invalid , etc ) > - the encryption / decryption is handled by a provider, which has > hooks for time-based lookups. > > this way you can have your encryption factory change daily, weekly, > monthly, etc. it's not secure enough for sensitive data, but by the > time 99.999% of people would have broken something, you can be on a > new set of encryption keys. you can also use this to create a payload > for URL based autologins for emails. > > As a rule of thumb, i also note in every session what sort of Login > occured -- a form, autologin, facebook connect, etc. I always require > a new form login if someone wants to access account settings. > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/pylons-discuss?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/pylons-discuss?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
