An auth_tkt cookie also has space to store 'tokens', i.e. groups or
roles and 'user data', which might be used for storing fullname and
email address. Obviously there is a trade-off to be made between
cacheabiliy and liveness, but for many sites I suspect all of this
data could be safely set on a cookie at login time. (The cookie itself
is signed so it is safe to trust that data.)


On 7 January 2011 13:32, Daniel Holth <> wrote:
> In my application, authenticated_userid() is just the integer primary key of
> the user table stored in an auth_tkt cookie. It does not consult the
> database at all. I do not remove users from the database, but they have an
> 'is_active' flag which controls whether they are allowed to log in.
> The effective_principals callback is pretty much
> return [str(group) for group in
> request.sqlalchemy_session.query(User).get(authenticated_userid(request)).groups]
> which could be only 1 query by eagerloading the groups, but I don't mind
> doing 2.
> Since the sqlalchemy session for the request keeps an identity map of all
> objects fetched during the transaction,
> sqlalchemy_session.query(User).get(authenticated_userid(request)) is a dict
> lookup, not a SQL query, during the remainder of the request.
> Hey look, here's the source:
> Daniel Holth
> _______________________________________________
> Repoze-dev mailing list
Repoze-dev mailing list

Reply via email to