2

I come from PHP world, and I've just started learning Pyramid framework. Currently I'm trying to figure out whats the best option to store user data.

So in PHP I coded a model that utilized php builtin sessions with combination of cookies. Cookies were only ever used, if user chose to tick 'remember me' box while logging in. So when user was logged in, a session contained data that would legitimize the login. When session expired, a check would be made for valid cookies, which would than re-create the session and extend the date till which the cookie is valid.

So here in Pyramid, I would like to do something that is similar, but possibly easier and better. I am currently interested in Beaker for Pyramid: http://beaker.readthedocs.org/en/latest/

My dilemma is, which persistence method should I use? If I'm going to use Beaker just for sessions, than I think I want to go with memcached or memory only configuration. If I want to add persistance, I definitely wanna go with mysql database thru sqlalchemy, as I'd hate to clutter the server with session files. Or I could just go with encrypted cookies in first place, and therefore even eliminate ton of work, that would have to be done with cookies additionally anyway, thus eliminating need to store session on server as well.

What do you suggest me to go with?

As this site is not intended to be mainstream thing, but rather a tool for high level clients, I don't think remember me option is really necessary, I think I pretty much want to have it on by default, therefore should I just go with Beaker Cookies based Session?

How should my pyramid development.ini configuration look like in that case?

zneak
  • 134,922
  • 42
  • 253
  • 328
if __name__ is None
  • 11,083
  • 17
  • 55
  • 71
  • What were you planning to store in the sessions? Just the login? – Wiz Jan 05 '13 at 20:50
  • If all you need is authentication, you don't need a full session (where a cookie is tied to a server-side per-user temporary data store) at all. Just use a [Authorization policy](http://docs.pylonsproject.org/projects/pyramid/en/1.4-branch/narr/security.html#enabling-an-authorization-policy) instead. – Martijn Pieters Jan 05 '13 at 21:38
  • @MartijnPieters Yes, I do want to use authorization policy to protect the views, but I don't understand how can authorization policy alone store the session/cookies for me? – if __name__ is None Jan 05 '13 at 22:19
  • @Wiz Yea, but not in form of username:password, but rather custom authentic login identifier, user id, etc... – if __name__ is None Jan 05 '13 at 22:24
  • Sorry, I meant authentication. See [the tutorial](http://pyramid.readthedocs.org/en/latest/tutorials/wiki/authorization.html#add-authentication-and-authorization-policies). The `AuthTktAuthenticationPolicy` manages a cookie for you (with the `remember` and `forget` methods). – Martijn Pieters Jan 05 '13 at 22:28
  • @MartijnPieters so if I understand correctly, pyramid.security.remember sets cookies for me and signs them using md5 hash. But, I still have to encrypt the content myself, right? Also, how can I add more cookies to it? Does it take parameters, like to have ability to set for how many days cookies should last? How do I extend the cookies validity outside of login view? pyramid.security.forget will unset all cookies that came with request? – if __name__ is None Jan 05 '13 at 23:35
  • @JanNetherdrake: Right, if you need to remember *more* things for a user, then you either need to use extra cookies (for small amounts of things to remember), *or* use a session, and then you'd be best off using Beaker. – Martijn Pieters Jan 06 '13 at 10:43
  • @JanNetherdrake: See the [documentation for the AuthTktAuthenticationPolicy](http://pyramid.readthedocs.org/en/latest/api/authentication.html#pyramid.authentication.AuthTktAuthenticationPolicy) for what parameters it takes; I've [written an answer about one of the params](http://stackoverflow.com/questions/12765349/pyramid-authtktauthenticationpolicy-secret-parameter/12767843#12767843) before. – Martijn Pieters Jan 06 '13 at 10:48
  • Okay, I think I will go with AuthTktAuthenticationPolicy for now as it is quick and easy solution, and than upgrade to Beaker, if more flexibility is required. Thanks for help. – if __name__ is None Jan 06 '13 at 15:54
  • Beaker's db session storage is rather easy to use, check this out: http://stackoverflow.com/questions/7966980/difference-between-database-and-sqla-backends-in-beaker – lekksi Sep 05 '13 at 21:49

1 Answers1

0

If you want to use beaker with memcached for your sessions your config should include something like this:

config.ini:

pyramid.includes =
    pyramid_tm
    pyramid_beaker

session.type = ext:memcached
session.url = url:11211
session.lock_dir = /tmp/memcached/lock

You could use cookies instead if you want. Also you don't need to use memcached and could store as files locally on the server or in memory.

jchysk
  • 1,538
  • 1
  • 15
  • 27