I've read the documentation, but there doesn't seem to be a conclusive tutorial that has the entire process where someone logs in, and their session is maintained via beaker or the default session system then logs out(or I haven't found it). From my understanding so far:
if 'form.submit' in request.POST:
usr = request.params['username']
pw = request.params['password']
/*** verify username/password logic ***/
headers = remember(request, usr_id)
return HTTPFound(location = welcome_screen, headers = headers)
headers() basically creates a cookie that identifies the session right? After that, I can access said session via beaker like so?:
request.session['usr_id']
... and to log out and invalidate the session I use:
headers = forget(request, usr)
return HTTPFound(location = logout_screen, headers = headers)
I'm just trying to create a very simple app that allows someone to log in and logout; im not using a db backend; the username and passwords are held in a global variable and will not change(this is just something im playing with to learn sessions and authentication).
Here is simple app that allows login and logout:
@view_config(route_name='main', renderer='main.mako')
def main_view(request):
return {}
@view_config(route_name='login', renderer='login.mako')
def login_view(request):
login = request.params.get('login')
password = request.params.get('password')
if request.method == 'POST':
if login and USERS.get(login) == password:
headers = remember(request, login)
return HTTPFound('/', headers=headers)
return {}
@view_config(route_name='logout')
def logout(request):
headers = forget(request)
return HTTPFound(location='/', headers=headers)
if __name__ == '__main__':
# configuration settings
settings = {}
settings['mako.directories'] = os.path.join(here, 'templates')
authn_policy = AuthTktAuthenticationPolicy('sosecret', hashalg='sha512')
authz_policy = ACLAuthorizationPolicy()
config = Configurator(settings=settings)
config.include('pyramid_mako')
config.add_static_view('static', os.path.join(here, 'static'))
config.set_authentication_policy(authn_policy)
config.set_authorization_policy(authz_policy)
config.add_route('main', '/')
config.add_route('login', '/login')
config.add_route('logout', '/logout')
config.scan()
app = config.make_wsgi_app()
server = make_server('0.0.0.0', 8080, app)
server.serve_forever()
Full code here.
headers() basically creates a cookie that identifies the session right? After that, I can access said session via beaker like so?
Yes you are almost right. It creates cookie that identifies user, session use other cookie.
You can access to user_id via request.authenticated_userid.
AuthTktAuthenticationPolicy is backend that uses signed cookie, when you call remember(request, user) it returns headers with cookie signed by your secret key. When you call forget(request) is just return headers that would remove this cookie.
Note: if user would know your secret key, than he can authenticate as any user.
Also you may create your own
auth backend that would be using other methods (maybe http basic authentication). With pyramid also bundled some other auth backends. If you want change cookie life time you can set max_age param of AuthTktAuthenticationPolicy backend. For more info see class docs.