cubicweb.pyramid.session
¶
Web session when using pyramid¶
CubicWeb CWSession
entity type so that sessions can be
stored in the database, which allows to run a Cubicweb instance
without having to set up a session storage (like redis or memcache)
solution.
However, for production systems, it is greatly advised to use such a storage solution for the sessions.
The handling of the sessions is made by pyramid (see the `pyramid's documentation on sessions`_ for more details).
For example, to set up a redis based session storage, you need the `pyramid-redis-session`_ package, then you must configure pyramid to use this backend, by configuring the pyramid configuration file:
[main]
cubicweb.defaults = no # we do not want to load the default cw session handling
cubicweb.auth.authtkt.session.secret = <secret1>
cubicweb.auth.authtkt.persistent.secret = <secret2>
cubicweb.auth.authtkt.session.secure = yes
cubicweb.auth.authtkt.persistent.secure = yes
redis.sessions.secret = <secret3>
redis.sessions.prefix = <my-app>:
redis.sessions.url = redis://localhost:6379/0
pyramid.includes =
pyramid_redis_sessions
cubicweb.pyramid.auth
cubicweb.pyramid.login
Warning
If you want to be able to log in a CubicWeb application
served by pyramid on a unsecured stream (typically when
you start an instance in dev mode using a simple
cubicweb-ctl pyramid -D -linfo myinstance
), you
must set cubicweb.auth.authtkt.session.secure
to
no
.
Secrets¶
There are a number of secrets to configure in pyramid.ini
. They
should be different one from each other, as explained in `Pyramid's
documentation`_.
For the record, regarding session handling:
cubicweb.session.secret: | |
---|---|
This secret is used to encrypt the session’s
data ID (data themselved are stored in the backend, database or
redis) when using the integrated (CWSession based) session data
storage. |
|
redis.session.secret: | |
This secret is used to encrypt the session’s data ID (data themselved are stored in the backend, database or redis) when using redis as backend. |
-
cubicweb.pyramid.session.
includeme
(config)[source]¶ Activate the CubicWeb session factory.
Usually called via
config.include('cubicweb.pyramid.auth')
.See also cubicweb.pyramid.defaults
-
cubicweb.pyramid.session.
CWSessionFactory
(secret, cookie_name='session', max_age=None, path='/', domain=None, secure=False, httponly=True, set_on_exception=True, timeout=1200, reissue_time=120, hashalg='sha512', salt='pyramid.session.', serializer=None)[source]¶ A pyramid session factory that store session data in the CubicWeb database.
Storage is done with the ‘CWSession’ entity, which is provided by the ‘pyramid’ cube.
Warning
Although it provides a sane default behavior, this session storage has a serious overhead because it uses RQL to access the database.
Using pure SQL would improve a bit (it is roughly twice faster), but it is still pretty slow and thus not an immediate priority.
It is recommended to use faster session factory (pyramid_redis_sessions for example) if you need speed.