An auth_tkt cookie also has space to store 'tokens', i.e. groups or roles and 'user data', which might be used for storing fullname and email address. Obviously there is a trade-off to be made between cacheabiliy and liveness, but for many sites I suspect all of this data could be safely set on a cookie at login time. (The cookie itself is signed so it is safe to trust that data.)
Laurence On 7 January 2011 13:32, Daniel Holth <dho...@gmail.com> wrote: > In my application, authenticated_userid() is just the integer primary key of > the user table stored in an auth_tkt cookie. It does not consult the > database at all. I do not remove users from the database, but they have an > 'is_active' flag which controls whether they are allowed to log in. > > The effective_principals callback is pretty much > > return [str(group) for group in > request.sqlalchemy_session.query(User).get(authenticated_userid(request)).groups] > > which could be only 1 query by eagerloading the groups, but I don't mind > doing 2. > > Since the sqlalchemy session for the request keeps an identity map of all > objects fetched during the transaction, > sqlalchemy_session.query(User).get(authenticated_userid(request)) is a dict > lookup, not a SQL query, during the remainder of the request. > > Hey look, here's the source: > https://bitbucket.org/dholth/stucco_auth/src/stucco_auth/security.py > > Daniel Holth > > _______________________________________________ > Repoze-dev mailing list > Repoze-dev@lists.repoze.org > http://lists.repoze.org/listinfo/repoze-dev > > _______________________________________________ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
