pyramid.session
¶
-
UnencryptedCookieSessionFactoryConfig
(secret, timeout=1200, cookie_name='session', cookie_max_age=None, cookie_path='/', cookie_domain=None, cookie_secure=False, cookie_httponly=False, cookie_on_exception=True, signed_serialize=<function signed_serialize>, signed_deserialize=<function signed_deserialize>)[source]¶ Configure a session factory which will provide unencrypted (but signed) cookie-based sessions. The return value of this function is a session factory, which may be provided as the
session_factory
argument of apyramid.config.Configurator
constructor, or used as thesession_factory
argument of thepyramid.config.Configurator.set_session_factory()
method.The session factory returned by this function will create sessions which are limited to storing fewer than 4000 bytes of data (as the payload must fit into a single cookie).
Parameters:
secret
- A string which is used to sign the cookie.
timeout
- A number of seconds of inactivity before a session times out.
cookie_name
- The name of the cookie used for sessioning. Default:
session
. cookie_max_age
- The maximum age of the cookie used for sessioning (in seconds).
Default:
None
(browser scope). cookie_path
- The path used for the session cookie. Default:
/
. cookie_domain
- The domain used for the session cookie. Default:
None
(no domain). cookie_secure
- The ‘secure’ flag of the session cookie. Default:
False
. cookie_httponly
- The ‘httpOnly’ flag of the session cookie. Default:
False
. cookie_on_exception
- If
True
, set a session cookie even if an exception occurs while rendering a view. Default:True
. signed_serialize
- A callable which takes more or less arbitrary python data structure and
a secret and returns a signed serialization in bytes.
Default:
signed_serialize
(using pickle). signed_deserialize
- A callable which takes a signed and serialized data structure in bytes
and a secret and returns the original data structure if the signature
is valid. Default:
signed_deserialize
(using pickle).
-
signed_serialize
(data, secret)[source]¶ Serialize any pickleable structure (
data
) and sign it using thesecret
(must be a string). Return the serialization, which includes the signature as its first 40 bytes. Thesigned_deserialize
method will deserialize such a value.This function is useful for creating signed cookies. For example:
cookieval = signed_serialize({'a':1}, 'secret') response.set_cookie('signed_cookie', cookieval)
-
signed_deserialize
(serialized, secret, hmac=<module 'hmac' from '/home/docs/checkouts/readthedocs.org/user_builds/pyramid/envs/1.4-branch/lib/python3.4/hmac.py'>)[source]¶ Deserialize the value returned from
signed_serialize
. If the value cannot be deserialized for any reason, aValueError
exception will be raised.This function is useful for deserializing a signed cookie value created by
signed_serialize
. For example:cookieval = request.cookies['signed_cookie'] data = signed_deserialize(cookieval, 'secret')
-
check_csrf_token
(request, token='csrf_token', raises=True)[source]¶ Check the CSRF token in the request’s session against the value in
request.params.get(token)
. If atoken
keyword is not supplied to this function, the stringcsrf_token
will be used to look up the token withinrequest.params
. If the value inrequest.params.get(token)
doesn’t match the value supplied byrequest.session.get_csrf_token()
, andraises
isTrue
, this function will raise anpyramid.httpexceptions.HTTPBadRequest
exception. If the check does succeed andraises
isFalse
, this function will returnFalse
. If the CSRF check is successful, this function will returnTrue
unconditionally.Note that using this function requires that a session factory is configured.
New in version 1.4a2.