Use https://docs.pylonsproject.org/projects/pyramid-nacl-session/en/latest/usage.html
It encrypts the session the is stored in the cookie with NACL. No longer is the content if the cookie something that an attacker can read/do anything with. > On Nov 28, 2023, at 12:12, Scott Lawton <[email protected]> wrote: > > Some followup: > - > https://docs.pylonsproject.org/projects/pyramid/en/latest/narr/sessions.html > has a big section in red: 'By default the SignedCookieSessionFactory() > <https://docs.pylonsproject.org/projects/pyramid/en/latest/api/session.html#pyramid.session.SignedCookieSessionFactory> > implementation contains the following security concerns: > > ... which seems to argue against session, but maybe doesn't apply to > access/refresh tokens? And/or maybe setting the cookie like we do isn't any > better? > > We also tried to follow > https://docs.pylonsproject.org/projects/pyramid/en/latest/whatsnew-2.0.html#upgrading-auth-20 > ... but not sure we did so correctly. That's what we're looking for feedback! > > Scott > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/pylons-discuss/2dedd1e5-cffc-45c4-84b6-ebb142a68368n%40googlegroups.com > > <https://groups.google.com/d/msgid/pylons-discuss/2dedd1e5-cffc-45c4-84b6-ebb142a68368n%40googlegroups.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/DDE10BC4-ED19-424D-B48A-8916FC0D585B%400x58.com.
