cubicweb.pyramid.session#

Web session when using pyramid#

CubicWeb CWSession entity type so that sessions can be stored in the database, which allows to run a Cubicweb instance without having to set up a session storage (like redis or memcache) solution.

However, for production systems, it is greatly advised to use such a storage solution for the sessions.

The handling of the sessions is made by pyramid (see the `pyramid's documentation on sessions`_ for more details).

For example, to set up a redis based session storage, you need the `pyramid-session-redis`_ package, then you must configure pyramid to use this backend, by configuring the pyramid configuration file:

[main]
cubicweb.defaults = no # we do not want to load the default cw session handling

cubicweb.auth.authtkt.session.secret = <secret1>
cubicweb.auth.authtkt.persistent.secret = <secret2>
cubicweb.auth.authtkt.session.secure = yes
cubicweb.auth.authtkt.persistent.secure = yes

redis.sessions.secret = <secret3>
redis.sessions.prefix = <my-app>:

redis.sessions.url = redis://localhost:6379/0

cubicweb.pyramid.auth = yes

pyramid.includes =
        pyramid_session_redis

Warning

If you want to be able to log in a CubicWeb application served by pyramid on a unsecured stream (typically when you start an instance in dev mode using a simple cubicweb-ctl start -D -linfo myinstance), you must set cubicweb.auth.authtkt.session.secure to no.

Secrets#

There are a number of secrets to configure in pyramid.ini. They should be different one from each other, as explained in `Pyramid's documentation`_.

For the record, regarding session handling:

cubicweb.session.secret

This secret is used to encrypt the session’s data ID (data themselved are stored in the backend, database or redis) when using the integrated (CWSession based) session data storage.

redis.session.secret

This secret is used to encrypt the session’s data ID (data themselved are stored in the backend, database or redis) when using redis as backend.

cubicweb.pyramid.session.includeme(config)[source]#

Activate the CubicWeb session factory.

It is automatically included by the configuration system, unless the following entry is added to the Pyramid Settings file:

cubicweb.pyramid.session = no
cubicweb.pyramid.session.CWSessionFactory(secret, cookie_name='session', max_age=None, path='/', domain=None, secure=False, httponly=True, set_on_exception=True, timeout=1200, reissue_time=120, hashalg='sha512', salt='pyramid.session.', serializer=None)[source]#

A pyramid session factory that store session data in the CubicWeb database.

Storage is done with the ‘CWSession’ entity, which is provided by the ‘pyramid’ cube.

Warning

Although it provides a sane default behavior, this session storage has a serious overhead because it uses RQL to access the database.

Using pure SQL would improve a bit (it is roughly twice faster), but it is still pretty slow and thus not an immediate priority.

It is recommended to use faster session factory (pyramid_session_redis for example) if you need speed.