Thank you very much for the help. I've fleshed out the program a bit more, running a localhost on my machine, and setting the secure flag to True is raising a couple of issues. First, I run into a KeyError while pulling data from the session, which does not happen while secure is set to false. Also, I've been printing request.scheme to the console to see if "https" has been used, but it is printing "http."
I'm looking through the documentation, but would be grateful for any insight into this. Peace, Brian On Monday, May 18, 2015 at 10:10:17 AM UTC-5, Jonathan Vanasco wrote: > > Cookies (in general) have a few flags: > > * httponly - tells the browser to only send to severs; not allow JS access > * secure - tells the browser to only send to secure servers (https, i > think there are other secure methods too) > > Pyramid (and many other python packages) usually abstract them into > boolean arguments, which is what you see in the cookie/session api. > > You definitely want to use encryption in your scenario. Most third-party > login APIs will require you to have the endpoint under HTTPS (facebook and > twitter, for example), so I would personally just run all of this under > HTTPS with signed cookies from Pyramid's default factory that are httponly > and secure. That would be reasonably secure enough – it will protect the > data as network traffic, and compromising the security would entail > compromising HTTP or one of the machines involved. To tell what type of > connection you have, `request.scheme` will tell you if a request is 'http' > or 'https' . It's a `webob.Request` property; it may be influenced by > frontline / proxy servers that fail to convey the right headers to wsgi so > you should have some deployment tests that ensure the correct setup. > > If you have to run on HTTP, then you'll need to encrypt/decrypt the > payload of your cookies. > > > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.
