Hi,
We've encountered a strange authorization issue we can't quite figure out
how to get past... When the users of our web app are inactive for a while
and they come back to use it, on first request they get a HTTPForbidden
error (presumably because the session has expired due to inactivity).
However, they're not logged out and if they refresh the page everything
works as it should. The behavior is pretty easy to replicate, we just set
session.timeout to 5 seconds, and then use the app after being inactive for
5 seconds and we always get the error. But here's the kicker - if we set
pyramid.debug_authorization to True then we don't see this issue!
We need help debugging this issue further...but we're pretty sure it's
something misconfigured on our end. We're running latest Pyramid (1.9.1)
with pyramid_beaker for session management. Below is an excerpt from our
development.ini file with the relevant settings:
================================
pyramid.reload_templates = true
pyramid.debug_authorization = false
pyramid.debug_notfound = true
pyramid.debug_routematch = false
pyramid.default_locale_name = en
pyramid.includes =
pyramid_tm
pyramid_debugtoolbar
pyramid_beaker
# Debug toolbar
debugtoolbar.enabled = false
debugtoolbar.hosts = 0.0.0.0/0
# Use http instead of https in local environment for base portal URL
auth.policy.secure = false
# Beaker config
cache.type = ext:memcached
cache.url = 127.0.0.1:11211
cache.lock_dir = %(here)s/data/sessions/lock
cache.regions = second, default_term, short_term, long_term, full_day,
forever_term
cache.second.expire = 1
cache.short_term.expire = 60
cache.default_term.expire = 300
cache.long_term.expire = 3600
cache.full_day.expire = 86400
cache.forever_term.expire = 604800
session.type = ext:memcached
session.url = 127.0.0.1:11211
session.data_dir = %(here)s/data/sessions/data
session.lock_dir = %(here)s/data/sessions/lock
session.key = KEY_HNAME
session.secret = SECRET_KEY
session.cookie_expires = 86400
session.secure = false
session.timeout = 3600
# End of beaker config
================================
And here is the auth policy setup from our __init__.py file:
================================
authn_policy = AuthTktAuthenticationPolicy(
# this is the secret used to sign cookies
'SECRET_KEY',
callback=groupfinder,
secure=use_https, #This should always be True, unless overridden in
development.ini file
http_only=True,
timeout=21600,
reissue_time=2160,
max_age=86400,
hashalg='sha512')
================================
Thanks
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/pylons-discuss/5c0a9c45-aa89-4de5-92df-0e6c44944a9d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
