cookie
Cookie handling based on paste.auth.auth_tkt but with some bug fixes and improvements
The cookie module is accessible via the authkit.authenticate module.
Supported cookie options (described in detail in the AuthKit manual):
cookie_name
cookie_secure
cookie_includeip
cookie_signoutpath
cookie_secret
cookie_enforce_expires
cookie_params = expires
path
comment
domain
max-age
secure
version
Supported in the middleware but not yet used:
tokens=() user_data='' time=None
Features compared to the original paste version:
- The authenticate middleware should use authkit version of make_middleware
- We need the BadTicket handling in place
- We need to be able to use a custom AuthTicket
- The custom AuthTicket should accept cookie params specifiable in the config file
- The cookie timestamp should be available in the environment as paste.auth_tkt.timestamp
Warning
You shouldn't rely on the bad ticket or server side expires code because when they are triggered, the sign in form isn't displayed.
Instead it is better to let the cookie expire naturally. For this reason the server side expiration allows a second longer than the cookie expire time so it only kicks in if the cookie fails to expire.
Here is an example:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | from paste.httpserver import serve from authkit.authenticate import middleware, test_app def valid(environ, username, password): return username==password app = middleware( test_app, method='form', cookie_secret='secret encryption string', users_valid=valid, cookie_signoutpath = '/signout', cookie_params = ''' expires:10 comment:test cookie ''', cookie_enforce = True ) serve(app) |
Warning
The username of the REMOTE_USER is stored in plain text in the cookie and so is any user data you specify so you should be aware of these facts and design your application accordingly. In particular you should definietly not store passwords as user data.
Attributes
Functions
f make_cookie_handler(app, auth_conf, app_conf=None, global_conf=None, prefix='authkit.cookie.') ...
f make_cookie_user_setter(app, auth_conf, app_conf=None, global_conf=None, prefix='authkit.cookie.') ...
f parse_ticket(secret, ticket, ip) ...
Parse the ticket, returning (timestamp, userid, tokens, user_data).
If the ticket cannot be parsed, BadTicket will be raised with an explanation.
Classes
C AuthKitCookieMiddleware(...) ...
Same as paste's AuthTKTMiddleware except you can choose your own ticket class and your cookie is removed if there is a bad ticket. Also features server-side cookie expiration and IP-based cookies which use the correct IP address when a proxy server is used.
The options are all described in detail in the cookie options part of the main AuthKit manual.
This class contains 4 members.
C AuthKitTicket(...) ...
This is a standard paste AuthTicket class except that it also supports a cookie_params dictionary which can have the following options: expires, path, comment, domain, max-age, secure and version.
Note
Unlike the paste version the secure option is set as a cookie parameter, not on its own.
The cookie parameters are described in the AuthKit manual under the cookie section.
This class contains 4 members.
C CookieUserSetter(...) ...
Same as paste's AuthTKTMiddleware except you can choose your own ticket class and your cookie is removed if there is a bad ticket. Also features server-side cookie expiration and IP-based cookies which use the correct IP address when a proxy server is used.
The options are all described in detail in the cookie options part of the main AuthKit manual.
This class contains 4 members.
See the source for more information.