CubicWeb AuthTkt authentication policy

When using the cubicweb.pyramid.auth module, which is the default in most cases, you may have to configure the behaviour of these authentication policies using standard’s Pyramid configuration. You may want to configure in your pyramid configuration file:

Session Authentication:

This is a AuthTktAuthenticationPolicy so you may overwrite default configuration values by adding configuration entries using the prefix cubicweb.auth.authtkt.session. Default values are:

cubicweb.auth.authtkt.session.hashalg = sha512
cubicweb.auth.authtkt.session.cookie_name = auth_tkt
cubicweb.auth.authtkt.session.timeout = 1200
cubicweb.auth.authtkt.session.reissue_time = 120
cubicweb.auth.authtkt.session.http_only = True = True
Persistent Authentication:

This is also a AuthTktAuthenticationPolicy. It is used when persistent sessions are activated (typically when using the cubicweb-rememberme cube). You may overwrite default configuration values by adding configuration entries using the prefix cubicweb.auth.authtkt.persistent. Default values are:

cubicweb.auth.authtkt.persistent.hashalg = sha512
cubicweb.auth.authtkt.persistent.cookie_name = pauth_tkt
cubicweb.auth.authtkt.persistent.max_age = 3600*24*30
cubicweb.auth.authtkt.persistent.reissue_time = 3600*24
cubicweb.auth.authtkt.persistent.http_only = True = True


Legacy timeout values from the instance’s all-in-one.conf are not used at all (`` http-session-time`` and cleanup-session-time)


There are a number of secrets to configure in pyramid.ini. They should be different one from each other, as explained in `Pyramid's documentation`_.

For the record, regarding authentication:

 This secret is used to encrypt the authentication cookie.
 This secret is used to encrypt the persistent authentication cookie.

Activate the CubicWeb AuthTkt authentication policy.

Usually called via config.include('cubicweb.pyramid.auth').

See also cubicweb.pyramid.defaults

class cubicweb.pyramid.auth.UpdateLoginTimeAuthenticationPolicy[source]

Bases: object

An authentication policy that update the user last_login_time.

The update is done in the ‘remember’ method, which is called by the login views login,

Usually used via includeme().