cubicweb.pyramid.session
#
Web session when using pyramid#
CubicWeb CWSession
entity type so that sessions can be
stored in the database, which allows to run a Cubicweb instance
without having to set up a session storage (like redis or memcache)
solution.
However, for production systems, it is greatly advised to use such a storage solution for the sessions.
The handling of the sessions is made by pyramid (see the `pyramid's documentation on sessions`_ for more details).
For example, to set up a redis based session storage, you need the `pyramid-session-redis`_ package, then you must configure pyramid to use this backend, by configuring the pyramid configuration file:
[main]
cubicweb.defaults = no # we do not want to load the default cw session handling
cubicweb.auth.authtkt.session.secret = <secret1>
cubicweb.auth.authtkt.persistent.secret = <secret2>
cubicweb.auth.authtkt.session.secure = yes
cubicweb.auth.authtkt.persistent.secure = yes
redis.sessions.secret = <secret3>
redis.sessions.prefix = <my-app>:
redis.sessions.url = redis://localhost:6379/0
cubicweb.pyramid.auth = yes
pyramid.includes =
pyramid_session_redis
Warning
If you want to be able to log in a CubicWeb application
served by pyramid on a unsecured stream (typically when
you start an instance in dev mode using a simple
cubicweb-ctl start -D -linfo myinstance
), you
must set cubicweb.auth.authtkt.session.secure
to
no
.
Secrets#
There are a number of secrets to configure in pyramid.ini
. They
should be different one from each other, as explained in `Pyramid's
documentation`_.
For the record, regarding session handling:
- cubicweb.session.secret
This secret is used to encrypt the sessionâs data ID (data themselved are stored in the backend, database or redis) when using the integrated (
CWSession
based) session data storage.- redis.session.secret
This secret is used to encrypt the sessionâs data ID (data themselved are stored in the backend, database or redis) when using redis as backend.
- cubicweb.pyramid.session.includeme(config)[source]#
Activate the CubicWeb session factory.
It is automatically included by the configuration system, unless the following entry is added to the Pyramid Settings file:
cubicweb.pyramid.session = no
- cubicweb.pyramid.session.CWSessionFactory(secret, cookie_name='session', max_age=None, path='/', domain=None, secure=False, httponly=True, set_on_exception=True, timeout=1200, reissue_time=120, hashalg='sha512', salt='pyramid.session.', serializer=None)[source]#
A pyramid session factory that store session data in the CubicWeb database.
Storage is done with the âCWSessionâ entity, which is provided by the âpyramidâ cube.
Warning
Although it provides a sane default behavior, this session storage has a serious overhead because it uses RQL to access the database.
Using pure SQL would improve a bit (it is roughly twice faster), but it is still pretty slow and thus not an immediate priority.
It is recommended to use faster session factory (pyramid_session_redis for example) if you need speed.