Some followup: - https://docs.pylonsproject.org/projects/pyramid/en/latest/narr/sessions.html has a big section in red: 'By default the SignedCookieSessionFactory() <https://docs.pylonsproject.org/projects/pyramid/en/latest/api/session.html#pyramid.session.SignedCookieSessionFactory> implementation contains the following security concerns:
... which seems to argue against session, but maybe doesn't apply to access/refresh tokens? And/or maybe setting the cookie like we do isn't any better? We also tried to follow https://docs.pylonsproject.org/projects/pyramid/en/latest/whatsnew-2.0.html#upgrading-auth-20 ... but not sure we did so correctly. That's what we're looking for feedback! Scott -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/2dedd1e5-cffc-45c4-84b6-ebb142a68368n%40googlegroups.com.
