On Mon, Dec 10, 2018 at 12:21 PM Bert JW Regeer <[email protected]> wrote:
> Pyramid also by default supports all of the "secure" parts of the cookie. > There are no extra flags that can't already be set using Pyramid. > > Using the Secure package for cookies is unnecessary. > I imagine the benefit is less for Pyramid's builtin sessions and auth tokens but for other arbitrary cookies a user may set where right now you must remember/pass in all the options to `response.set_cookie`. If I were doing this myself I'd probably use `config.set_response_factory` to define a custom response subclass that contains some form of `response.set_secure_cookie(key, value, **kwargs)` that had signing built into it, or even just define some more purpose-built functions for the different types of cookies I want to set. Fortunately most of my apps don't set cookies other than auth/session so I don't really care. :-) To summarize above, my main feedback would be that I'm a little surprised the library doesn't provide some way to define a context object that can be passed around with pre-configured settings. That way at the call-site where I want to set the cookie I can just grab some object and use my key/value without needing to think about the actual cookie properties. That would be an improvement Pyramid's current `response.set_cookie` which is pretty feature-complete with the SecureCookie offering in secure. Imagine at config-time you define something like `remember_me_cookie = SecureCookie(...)` and then later on in your code you can set/grab the value for that cookie via `request.registry.remember_me_cookie.get_value(request)` and `request.registry.remember_me_cookie.set_value(response, value)`. This makes consuming the cookie super easy and secure by default because all the settings are configured at config-time. I'd argue for and define similar apis for SecureHeaders etc. - Michael -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/CAKdhhwEZ1kAf2P9k_a3Q%3DthFmEX5auzLhNFDdU0H3oRQQ%2BxREg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
