cubicweb.pyramid.session¶
Web session when using pyramid¶
CubicWeb CWSession entity type so that sessions can be
stored in the database, which allows to run a Cubicweb instance
without having to set up a session storage (like redis or memcache)
solution.
However, for production systems, it is greatly advised to use such a storage solution for the sessions.
The handling of the sessions is made by pyramid (see the `pyramid's documentation on sessions`_ for more details).
For example, to set up a redis based session storage, you need the `pyramid-redis-session`_ package, then you must configure pyramid to use this backend, by configuring the pyramid configuration file:
[main]
cubicweb.defaults = no # we do not want to load the default cw session handling
cubicweb.auth.authtkt.session.secret = <secret1>
cubicweb.auth.authtkt.persistent.secret = <secret2>
cubicweb.auth.authtkt.session.secure = yes
cubicweb.auth.authtkt.persistent.secure = yes
redis.sessions.secret = <secret3>
redis.sessions.prefix = <my-app>:
redis.sessions.url = redis://localhost:6379/0
pyramid.includes =
pyramid_redis_sessions
cubicweb.pyramid.auth
cubicweb.pyramid.login
Warning
If you want to be able to log in a CubicWeb application
served by pyramid on a unsecured stream (typically when
you start an instance in dev mode using a simple
cubicweb-ctl pyramid -D -linfo myinstance), you
must set cubicweb.auth.authtkt.session.secure to
no.
Secrets¶
There are a number of secrets to configure in pyramid.ini. They
should be different one from each other, as explained in `Pyramid's
documentation`_.
For the record, regarding session handling:
- cubicweb.session.secret
This secret is used to encrypt the session’s data ID (data themselved are stored in the backend, database or redis) when using the integrated (
CWSessionbased) session data storage.- redis.session.secret
This secret is used to encrypt the session’s data ID (data themselved are stored in the backend, database or redis) when using redis as backend.
- cubicweb.pyramid.session.includeme(config)[source]¶
Activate the CubicWeb session factory.
Usually called via
config.include('cubicweb.pyramid.auth').See also cubicweb.pyramid.defaults
- cubicweb.pyramid.session.CWSessionFactory(secret, cookie_name='session', max_age=None, path='/', domain=None, secure=False, httponly=True, set_on_exception=True, timeout=1200, reissue_time=120, hashalg='sha512', salt='pyramid.session.', serializer=None)[source]¶
A pyramid session factory that store session data in the CubicWeb database.
Storage is done with the ‘CWSession’ entity, which is provided by the ‘pyramid’ cube.
Warning
Although it provides a sane default behavior, this session storage has a serious overhead because it uses RQL to access the database.
Using pure SQL would improve a bit (it is roughly twice faster), but it is still pretty slow and thus not an immediate priority.
It is recommended to use faster session factory (pyramid_redis_sessions for example) if you need speed.