CubicWeb AuthTkt authentication policy#

When using the cubicweb.pyramid.auth module, which is the default in most cases, you may have to configure the behaviour of these authentication policies using standard’s Pyramid configuration. You may want to configure in your pyramid configuration file:

Session Authentication

This is a AuthTktAuthenticationPolicy so you may overwrite default configuration values by adding configuration entries using the prefix cubicweb.auth.authtkt.session. Default values are:

cubicweb.auth.authtkt.session.hashalg = sha512
cubicweb.auth.authtkt.session.cookie_name = auth_tkt
cubicweb.auth.authtkt.session.timeout = 1200
cubicweb.auth.authtkt.session.reissue_time = 120
cubicweb.auth.authtkt.session.http_only = True = True
Persistent Authentication

This is also a AuthTktAuthenticationPolicy. It is used when persistent sessions are activated (typically when using the cubicweb-rememberme cube). You may overwrite default configuration values by adding configuration entries using the prefix cubicweb.auth.authtkt.persistent. Default values are:

cubicweb.auth.authtkt.persistent.hashalg = sha512
cubicweb.auth.authtkt.persistent.cookie_name = pauth_tkt
cubicweb.auth.authtkt.persistent.max_age = 3600*24*30
cubicweb.auth.authtkt.persistent.reissue_time = 3600*24
cubicweb.auth.authtkt.persistent.http_only = True = True


Legacy timeout values from the instance’s all-in-one.conf are not used at all (`` http-session-time`` and cleanup-session-time)


There are a number of secrets to configure in pyramid.ini. They should be different one from each other, as explained in `Pyramid's documentation`_.

For the record, regarding authentication:


This secret is used to encrypt the authentication cookie.


This secret is used to encrypt the persistent authentication cookie.


Activate the CubicWeb AuthTkt authentication policy.

It is automatically included by the configuration system, unless the following entry is added to the Pyramid Settings file:

cubicweb.pyramid.auth = no
class cubicweb.pyramid.auth.UpdateLoginTimeAuthenticationPolicy[source]#

Bases: object

An authentication policy that update the user last_login_time.

The update is done in the ‘remember’ method, which is called by the login views login,

Usually used via includeme().