Fair enough! I wrote `pyramid_session_multi` to let me map multiple ISession Session libraries onto a request. On our largest project, we run a secondary server side session and mix of encrypted cookies to handle some "secret" data. This library would let me drop one of the server side sessions and replace the encrypted cookie with something more automated. I am so excited and thankful you shared it!
On Friday, December 1, 2023 at 2:43:20 PM UTC-5 Delta Regeer wrote: > Nope. I know it was created for a client of Agendaless, and I know it > exists. I have not used it because I don’t store secret data in cookies, so > using the signed factory one is easier and didn’t require additional crypto > libraries to be added to my stack. > > On Nov 30, 2023, at 15:26, Jonathan Vanasco <jvan...@gmail.com> wrote: > > Wow. This looks great. I wish I knew about it sooner. > > Digging into the code, there was a PR to split things out and support JSON > serialization – however there are no unit tests covering this or docs for > it. @Delta do you know of any public examples of this usage? If so I'd be > happy to play around with it and generate a PR for unit tests. > > I often manually generate and read encrypted cookies, which can be a > chore. This would be incredibly useful to me in a few projects. > > On Thursday, November 30, 2023 at 2:48:03 PM UTC-5 Delta Regeer wrote: > >> Use >> https://docs.pylonsproject.org/projects/pyramid-nacl-session/en/latest/usage.html >> >> It encrypts the session the is stored in the cookie with NACL. No longer >> is the content if the cookie something that an attacker can read/do >> anything with. >> >> >> On Nov 28, 2023, at 12:12, Scott Lawton <scott.s...@gmail.com> wrote: >> >> Some followup: >> - >> https://docs.pylonsproject.org/projects/pyramid/en/latest/narr/sessions.html >> has a big section in red: 'By default the SignedCookieSessionFactory() >> <https://docs.pylonsproject.org/projects/pyramid/en/latest/api/session.html#pyramid.session.SignedCookieSessionFactory> >> implementation >> contains the following security concerns: >> >> ... which seems to argue against session, but maybe doesn't apply to >> access/refresh tokens? And/or maybe setting the cookie like we do isn't any >> better? >> >> We also tried to follow >> https://docs.pylonsproject.org/projects/pyramid/en/latest/whatsnew-2.0.html#upgrading-auth-20 >> >> ... but not sure we did so correctly. That's what we're looking for >> feedback! >> >> Scott >> >> -- >> You received this message because you are subscribed to the Google Groups >> "pylons-discuss" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to pylons-discus...@googlegroups.com. >> >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/pylons-discuss/2dedd1e5-cffc-45c4-84b6-ebb142a68368n%40googlegroups.com >> >> <https://groups.google.com/d/msgid/pylons-discuss/2dedd1e5-cffc-45c4-84b6-ebb142a68368n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> >> >> > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to pylons-discus...@googlegroups.com. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/pylons-discuss/b8039844-e54d-4b80-be42-ec56dca2e066n%40googlegroups.com > > <https://groups.google.com/d/msgid/pylons-discuss/b8039844-e54d-4b80-be42-ec56dca2e066n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/7b4d41f8-526b-4330-8991-594e0f09d432n%40googlegroups.com.
